Top 8 Medical Device Cybersecurity Documents A Manufacturer Should Follow
Medical devices are becoming increasingly interconnected, so they are more vulnerable to cyberattacks. To ensure the safety and effectiveness of medical devices, it is important that medical device manufacturers understand the various cybersecurity standards applicable to their products.
In this blog post, we discuss:
- The regulatory standards & guidance documents for medical device cybersecurity
- The types of attacks likely for medical devices.
- How medical device manufacturers can protect themselves.
FDA Regulatory Standards For Medical Device Cybersecurity
The FDA released guidance documents on medical device cybersecurity as well as a few other noteworthy guides in the space. Let’s take a look at a few of the documents that impact the medical industry.
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
One such guidance is the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance. This guidance document recommends the types of information to include in a medical device premarket submission to demonstrate that the device was designed with cybersecurity in mind.
The FDA also released a pre-market guidance which provides medical device manufacturers with recommendations on how to address cybersecurity risks during the design and development phases of their product’s life cycle. The FDA recommendations are voluntary, but they provide a good starting point for medical device manufacturers looking to improve their cybersecurity posture.
Postmarket Management of Cybersecurity in Medical Devices
Medical Device Safety Action Plan
In addition to the content of premarket submissions, the FDA’s “Medical Device Safety Action Plan” was released in October 2016 in response to the growing threat of cyberattacks against medical devices. The action plan includes several recommendations for medical device manufacturers, including the need to establish a comprehensive cybersecurity program. A cybersecurity management system helps companies to enforce policies and procedures to identify, assess, and mitigate cybersecurity risks.
Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software
Another FDA guidance document to follow is the Food and Drug Administration’s (FDA) “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” guidance. This document was created to help medical device manufacturers secure medical devices that use off-the-shelf software.
The FDA’s recommendations are just part of the medical device cybersecurity landscape. Several other standards and guidelines include ISO 27001, NIST 800-53, and HIPAA. While these standards are not specific to medical devices, they provide a good foundation for medical device manufacturers who are looking to improve cybersecurity.
ISO 27001
ISO 27001 is an information security standard that was published by the International Organization for Standardization (ISO) in 2013. The standard is designed to help organizations keep information assets safe. It provides a framework for developing, implementing, and maintaining an information security management system (ISMS).
Medical device manufacturers can use ISO 27001 to manage cybersecurity risks in a systematic way. Another useful ISO standard is ISO/IEC 80001-0. This standard provides requirements and guidance for a management system for applying risk management to medical devices throughout their life cycle.
NIST 800-53
NIST 800-53 is a security and privacy control catalogue published by the National Institute of Standards and Technology (NIST). The standard provides guidance for selecting and implementing security controls to protect information systems. NIST 800-53 is often used in conjunction with NIST 800- 171.
The NIST 800- 171 contains additional security controls for federal information systems. medical device manufacturers can use NIST 800-53 to help them identify and implement appropriate cybersecurity controls. Lastly, the International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) 27001 is an international standard that can be used by organizations to implement an effective information security management system (ISMS).
IEC 62304
The International Electrotechnical Commission is also known for IEC 62304, which is an international standard for medical device software development. The standard covers the lifecycle of medical device software, from planning through maintenance. IEC 62304 includes requirements for risk management, including cybersecurity risks.
What is HACCP?
HACCP (Hazard Analysis and Critical Control Points) is a risk management technique that is frequently employed in the Foods industry for managing food safety risks. This risk management technique can also be leveraged for identification and control over critical control points in the cybersecurity landscape.
CBOM
Another useful tool is development of a Medical Device Cybersecurity Bill of Materials (CBOM), which was developed by the National Cybersecurity Center of Excellence (NCCoE). This document provides medical device manufacturers with a list of security controls that should be implemented in order to reduce the risk of medical device cyberattacks.
Are You Following Regulatory Standards?
While many different cybersecurity standards and guidance documents are available, medical device manufacturers should start by implementing the basics. This blog post suggested several standards to reference when initiating a new cybersecurity program. In addition to FDA standards, standards are available from ISO, NIST 800-and IEC.
Through employment of an accepted standard, medical device companies can leverage the information in the public domain to enhance their cybersecurity programs in support of FDA expectations. Most important, taking such measures will provide safe and secure patient care.
If you are a medical device manufacturer seeking improvement in cybersecurity, we can help. Our team of experts have experience working with medical device companies in the cybersecurity space to take appropriate measures to keep your devices and data safe.