|
The 2017 Regulations: essential safety requirements for medical devices
Two Regulations (745/2017 and 746/2017) on medical devices were adopted and entered into force in 2017. These legislative texts will apply progressively until May 2020 for medical devices and May 2022 for in vitro diagnostic medical devices.
Among other things, these Regulations lay down safety requirements to ensure that devices placed on the EU market are fit for the new technological challenges linked to cybersecurity risks. Thus, manufacturers are required to set IT security measures for medical devices, including protection against unauthorised access. Cybersecurity requirements laid down by the Medical Devices Regulations deal both with pre-market and post-market aspects.
The recently-released guidance gives details to manufacturers on how they can fulfill the requirements set in the Regulations when it comes to cybersecurity. This document can also be of interest to other stakeholders.
Guidance on cybersecurity requirements
I) Security-by-design
Medical devices should be secure by design. This means that risks associated with reasonably foreseeable environmental conditions should be removed or minimised. They should be designed in a layered defence in-depth approach and therefore should not rely on security controls in the operating environment. Nevertheless, there are still expectations regarding the operating environment (as described below).
II) Security Risk Management
The guidance underlines that manufacturers need to distinguish:
a) Safety risk management normally covered in the overall product risk management;
b) Security risk, which is not associated with safety.
There is no need for a separate risk management process for security risks. However, specific methods and requirements are used for security risks. When a security risk could have a possible impact on safety, it should be included in the safety risk assessment.
III) Security capabilities
Manufacturers should use threat modelling techniques and draw a list of vulnerabilities.
It is necessary to specify the security capabilities, based on the list of known vulnerabilities and attack vectors. The guidance draws an indicative list of security capabilities (page 19), including automatic logoff, cybersecurity product upgrade, personal data de-identification, data backup, malware detection, physical locks, and transmission confidentiality.
Manufacturers should consider the device’s intended clinical use and intended operational environment to choose adequate security capabilities.
IV) Operating environment
Manufacturers must set out “minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended” (article 17.4 of the Medical Device Regulation).
In other words, it is the manufacturer’s responsibility to determine the minimum requirements for the operating environment as regards IT network characteristics and IT security measures that could not be implemented through the product design.
The guidance draws an indicative list of requirements for the operating environment of medical devices (pages 22-23). This list includes:
· Appropriate security controls such as:
o User access management (credentials for accessing software applications or devices, user access policy, etc.)
o Antivirus / anti-malware software
o Firewall
· Control and security of network traffic via appropriate measures, such as:
o Network segmentation
o Traffic filtering
o Data encryption
· Appropriate provisions regarding patch.
V) Verification/validation of software
The guidance highlights that the primary means of security verification and validation is testing. The document mentions the following methods: security feature testing, fuzz testing, vulnerability scanning and penetration testing. Additional security testing can be done by using tools for secure code analysis and tools that scan for open source code and libraries used in the product, to identify components with known issues.
VI) Post-market surveillance and reporting to competent authorities
Manufacturers must take measures that cover the entire lifecycle of the product. Thus, manufacturers are required to put in place a post market surveillance system. They should gather post-market information related to the security of devices, such as security incidents, security vulnerabilities and changes in the threat landscape. They should also take appropriate measures like software updates or patches.
Moreover, manufacturers are responsible for notifying serious incidents and field safety corrective actions to the competent authorities.
---
Annex I: List of security requirements covered by the NIS Directive
Annex II: Examples of cybersecurity incidents
Annex III: Applicable standards (for information purposes only because they cannot provide a presumption of conformity unless they are harmonised and published in the Official Journal of the EU) |
