Keeping patient information and networks secure
23 November 2021
Today, the average hospital bed has 10 to 15 connected devices, providing diagnostic information to the patient’s care team, monitoring the patient’s vital signs and dispensing medicine for treatment. By having this crucial information at their fingertips, doctors, physician assistants and nurses are able to monitor their patients remotely, and provide more proactive care.
Due to the sensitive nature of patient medical information, as well as the increased risk if the devices or network to which they are connected is compromised, cybersecurity standards for medical devices have been developed by regulators in the U.S., Canada and the EU to ensure the security of devices and networks.
Medical device assessments are driven by regulators and suppliers. From a regulatory perspective, in the U.S. the Food & Drug Administration (FDA) outlines cybersecurity requirements. In the EU, there are the MDR, In Vitro Diagnostics Regulation (IVDR) and IMDRF Principles and Practices of Medical Device Cybersecurity.
In the U.S., the requirement is for the implementation of design, development, production, deployment and maintenance of regulated devices, resulting in a proactive view to cybersecurity. In Canada, the requirement is slightly different where the focus is on bill of materials (BOM) and lists of software. In Europe there is the Medical Device Regulation (MDR), which has a number of sets of principles. All have commonalities, but the best approach to compliance is to have one consistent method that addresses all compliance requirements.
The FDA approval in the U.S. process focuses on risk management and includes providing a product design review, risk analysis and verification and validation. If you are selling your product in the EU, the MDR process is similar to the FDA process, but risk is looked at a bit differently. In the EU regulators look to reduce risk in all operational modes to foresee the risk to ensure intended device performance and a high level of protection of health.
There are a number of reference standards that exist and help medical device manufacturers demonstrate compliance to the regulatory requirements, including UL 2900-2-1, IEC 62443 and NIST Framework:
It is best to reach out to the regulatory authority at the beginning stages of product development to determine what elements of the risk management process are most important to consider. However, while the wording of regulations can differ in each market, the testing is very consistent based on available standards. Intertek’s cybersecurity experts have the knowledge to help you navigate the different regulatory requirements and standards for your connected medical devices.