Cyber Security in Medical Devices (Part 2)

Cyber Security in Medical Devices (Part 2)

As we mentioned last time, cybersecurity measures are risk management (ISO 14971).
For medical devices that are connected to a network or exchange data with other medical devices such as USB memory devices, risk management must be implemented with cyber attacks as one of the hazards when analyzing hazards.
Also, in post-marketing to properly address medical device cybersecurity, In cooperation with relevant parties, including medical professionals, medical device manufacturers and distributors should conduct risk analyses based on the characteristics of individual medical devices. After conducting risk analysis according to the characteristics of individual medical devices, it is important to take sufficient measures to reduce the risk from cyber attacks .
For example, if network security at a medical institution is weak, a computer virus could infect the medical device and then infect other health care software or medical devices at the institution, or it could infect the medical device from the health care software or other medical devices at the institution. The virus could also infect other health care software or medical devices of the medical institution.

Collaboration with medical institutions 

Medical device companies must promptly notify each medical institution of any cybersecurity vulnerabilities discovered in such medical devices. Upon receiving notification, medical institutions must promptly discontinue use of the medical device and disconnect it from their networks.
However, if reliable channels are not used when notifying medical institutions, it is counterproductive to let malicious parties know about the vulnerability of the medical device in question.
The method of notification of vulnerabilities related to cyber security should be thoroughly agreed upon in advance with the medical institution concerned.

In this case, more mature companies are likely to promptly notify the public of any cybersecurity vulnerabilities found in their medical devices. However, small and medium-sized companies may not disclose the cybersecurity vulnerability for fear of sales restraint or withdrawal from the market. In such a case, there is a concern that the damage could spread.

Legacy medical devices

Products that have been sold in the past and are already in use may qualify as legacy medical devices (medical devices that cannot be reasonably protected against current cybersecurity threats).
Legacy medical devices are medical devices that cannot be protected against current cybersecurity threats through reasonable means such as updates or complementary measures.
This is problematic because the clinical usefulness of medical devices often exceeds the support period for security support.
It should not be determined that a device is a legacy medical device solely because of its age. For example, even if a device has been on the market for less than one year, it is a legacy medical device if it cannot be protected by reasonable means against cyber security threats. Even if it has been on the market for more than five years, it is not legacy if it can be protected by reasonable means.
It is important to note that this is a legacy medical device immediately after its launch.
Designers must have current and sufficient knowledge of cyber security.
The IMDRF Guidance introduces a new approach to the handling of legacy medical devicesAs a response to legacy medical devices, medical device manufacturers are encouraged to clearly indicate to healthcare providers when the support services for medical devices ( EOS: End Of Support) to healthcare providers.

  • Once an agreement on EOS is reached, the risk of using the relevant medical device until the End Of Life (EOL) is transferred to the healthcare provider.
  • Legacy medical devices that have not been adequately protected are an easy target for hackers, and leaving them unattended is a business continuity risk for medical device manufacturers.

On the other hand, legacy medical equipment can create business opportunities for equipment upgrades and replacements. aspect.
Medical device manufacturers need to review their business continuity plans and business strategies by taking early action on the following activities

  • Identification of their legacy medical devices
  • Legacy medical device vulnerability assessment and response plan (including EOS)
  • Organize healthcare providers using legacy medical equipment

Ideally, legacy medical equipment would be phased out with appropriate advance notice to healthcare providers so that business continuity can be planned.

related product

[blogcard url= title=”QMS(手順書)ひな形 医療機器関連” ]


Related post


There are no comment yet.