This document discusses cybersecurity issues related to medical devices. It summarizes the FDA's approach to cybersecurity, which is based on the NIST cybersecurity framework. It also discusses the current and future EU regulations regarding medical devices and cybersecurity, noting that the future regulations do not specifically address cybersecurity. Finally, it outlines some general EU security regulations and standards that relate to medical devices, including those regarding data protection, risk management, and notification of security incidents.
1. CYBERSECURITY
FOR
MEDICAL DEVICES
MD Project event
9 december 2014
Erik Vollebregt
www.axonadvocaten.nl
2. Agenda:
1. Introduction
2. FDA approach to cybersecurity measures
3. Current EU Medical Devices law
4. Future EU Medical Devices law
5. General EU security regulations and standards
3. Setting the scene
ā¢ Homeland pacemaker hack;
ā¢ FDA Guidelines on Premarket Submissions for Management of Cubersecurity in
Medical Devices;
ā¢ Proposals for MDR and IVDR;
ā¢ EU Directive 95/46/EC on personal data protection;
ā¢ EU Commission`s Green Paper on mHealth;
4. FDA approach to cybersecurity measures
Based on US National Institute of
Standards and Technology (NIST)
cybersecurity framework:
ā¢ identification of assets, threats and
vulnerabilities;
ā¢ assessment of the impact of
threats and vulnerabilities on
device
ā¢ functionality and end users /
patients;
ā¢ assessment of the likelihood of a
threat and of a vulnerability being
exploited;
ā¢ determination of risk levels and
suitable mitigation strategies;
ā¢ assessment of residual risk and
risk acceptance criteria;
5. Are we doing anything in the EU?
Biggest EVAH! About public utilities
and communications infrastructure
What are the medical
devices companies and
healthcare institutions
doing?
6. EN 62304 Ā§ 5.2.2 Software
requirements content re security
Typical cybersecurity points,
but only with respect to
standalone software
7. Future EU Medical Devices law
ā¢ nothing specifically new in the field of cybersecurity;
ā¢ MDR Proposal, Annex I, point 14 does not addresses cybersecurity specificallu:
ā¢ point 14.2 repeats point 12.1a of the MDD, which will remain linked to EN 62304 so
future cybersecurity ā for the moment ā is more of the same
ā¢ Any cybersecurity measure will need to come from harmonised standard
8. Future EU Medical Devices law
ā¢ Delegated acts or common technical specifications are a good way to
amend the general safety and performance requirements with cyber
security requirements, as foreseen by the new regulations.
ā¢ However, this option for delegated acts is proposed to be removed in the
EU Parliament`s 1st reading of 2 April 2014.
9. General EU security regulations and
standards
ā¢ IEC 80001 ā Application of risk management for IT-networks
incorporating medical devices
ā¢ Plays important role in Swedish competent authority
LƤkemedelsverket in 2009 in the first version of their guidance
āProposal for guidelines regarding classification of software based
information systems used in health careā.
ā¢ This is not a harmonised standard under the medical devices
directives, because it is directed at clinical institutions and not to
medical device manufacturers.
10. Draft NIS Directive
Article 14 provides for market operator
ā¢ security requirements and
ā¢ incident notification duty
ERGO: all (medical)devices
that run software, that
interconnect and process /
transmit data
11. NIS Directive
Duty to implement
measures
Notification duty
Public disclosure
of incidents
Delegated acts
12. General EU security regulations and
standards: data protection
ā¢ Protection against e.g. alteration and unauthorized access have
everything to do with cybersecurity, as these impact directly on safety
and performance of the device.
ā¢ Non harmonization of the Data Protection Directive is a big problem
because it leads to the situation of member states taking different views
on security terms requirements.
ā¢ Dutch NCA refers to ISO 27000 family as informal harmonised standard
ā¢ Dutch sause ISO 27002 mandatory standard in Dutch healthcare
market (NEN 7510)
13. Personal data currently in the EU
ā¢ Everybody agrees the current EU system
is
ā¢ Fragmented
ā¢ Outdated
ā¢ Unclear
ā¢ But, itās still a good system that has
produced a lot of good practices, among
others Article 29 WP opinions on security
related subjects, e.g. WP 223 on IoT:
14. General EU security regulations and
standards
ā¢ Currently authorities mainly approach cybersecurity issues via Data Protection
Directive, which features a secutiry regime in Article 17(1):
15. Privacy by design obligations for
medical devices
ā¢ WP 223: Controller has responsibility for security of IoT devices
ā¢ Parties purchasing OEM devices and solutions will want privacy by
design compliance warranties
16. Privacy by design obligations for
medical devices
WP 223 on end of life devices and remote monitoring / measuring devices
18. Developments?
ā¢ Unfortunately, we did not have yet a European version of the Homeland
pacemaker hack that gets politicians moving ā attention is at
manageable safety issues in well understood implantables
ā¢ EU Commission seems reluctant to update anything substantive in the
medical devices guidance while medical device regulations are still in
works.
ā¢ DG Enterprise might be able to make a difference in cybersecurity for
medical devices.
20. THANKS FOR YOUR ATTENTION
Erik Vollebregt
Axon Lawyers
Piet Heinkade 183
1019 HC Amsterdam
T +31 88 650 6500
F +31 88 650 6555
M +31 6 47 180 683
E erik.vollebregt@axonlawyers.com
@meddevlegal
B http://medicaldeviceslegal.com
READ MY BLOG:
http://medicaldeviceslegal.com
www.axonlawyers.com