未分類

Medical Device Cybersecurity Guidance and IEC 81001-5-1

Medical Device Cybersecurity Guidance and IEC 81001-5-1

Introduction

In Japan, there are two key regulatory requirements for medical device cybersecurity: the “Guidance for Implementing Cybersecurity in Medical Devices (2nd Edition)” and “IEC 81001-5-1:2021 Health software and health IT systems—Safety, effectiveness and security—Part 5-1: Security—Activities in the product life cycle” (JIS T 81001-5-1:2023). Although these two requirements cover similar content, there are subtle differences between them, creating what might be termed a dual standard situation. This raises an important question: what specific compliance measures are required of medical device manufacturers under these circumstances? This article explains the background of these two regulatory requirements, their respective regulatory positions, and the measures required for compliance.

Development and Regulatory Position of the Medical Device Cybersecurity Implementation Guidance

International Background and Initial Publication

The international framework for medical device cybersecurity can be traced back to the “Principles and Practices for Medical Device Cybersecurity” released by the IMDRF (International Medical Device Regulators Forum) on March 18, 2020. This guidance was developed in response to increasing cyberattacks on medical devices, with the objective of enabling regulatory authorities across countries to adopt a unified approach to medical device cybersecurity.

In response to this guidance, Japan’s Ministry of Health, Labour and Welfare issued a notification in May 2020 regarding “Publication of the International Medical Device Regulators Forum (IMDRF) Guidance on Principles and Practices for Medical Device Cybersecurity.” This notification involved providing information about a Japanese translation of the IMDRF guidance. It is believed that this translation was necessary to encourage immediate action by medical device manufacturers pending the development of Japan’s own cybersecurity guidance.

Subsequently, on December 24, 2021, the “Guidance for Implementing Cybersecurity in Medical Devices” was officially published. This guidance builds upon the IMDRF framework by incorporating Japan-specific requirements, and is structured such that compliance with this guidance simultaneously ensures compliance with IMDRF requirements.

Regulatory Position of the Guidance and Revision to the Second Edition

The regulatory position of this guidance is to “establish a system for confirming medical device cybersecurity implementation in the approval and licensing process.” In other words, medical device manufacturers are required to establish a cybersecurity implementation system and develop procedures in accordance with this guidance, and these will be subject to inspection during regulatory inspections. In essence, this guidance is a policy document that requires manufacturers to establish organization-wide cybersecurity implementation systems.

Following the publication of supplementary guidance by IMDRF, the “Guidance for Implementing Cybersecurity in Medical Devices (2nd Edition)” was released on March 31, 2023. The second edition incorporates detailed requirements from the IMDRF supplementary guidance, particularly regarding Software Bill of Materials (SBOM) and the handling of legacy medical devices, making it more practical in nature.

The main additions to the second edition include specific requirements for SBOM creation and management, methodologies for addressing existing medical devices (legacy devices), and detailed procedures for vulnerability remediation and incident response. These additions enable medical device manufacturers to have more specific and actionable guidance when implementing cybersecurity measures.

IEC 81001-5-1: Integration into Regulatory Requirements

Incorporation into Essential Requirements and Legal Binding Force

The Essential Principles for Medical Devices were amended on March 9, 2023, by notification of the Ministry of Health, Labour and Welfare, with the addition of Section 3 to Article 12, titled “Special Considerations for Programmed Medical Devices.” This section specifies that for programmed medical devices intended to be used in connection with other devices and networks, or where external unauthorized access or attack is anticipated, appropriate requirements must be determined considering the device’s operating environment and intended network environment. The regulation requires that cybersecurity risks that could compromise device functionality or raise safety concerns be identified, evaluated, and mitigated.

Furthermore, it is stipulated that medical devices must be designed and manufactured based on a plan to ensure cybersecurity throughout the entire product life cycle.

Implementation Timeline and Transition Period

Article 12, Section 3 of the Essential Principles became applicable on April 1, 2023. However, to allow for realistic implementation by industry, a one-year transition period was established. Specifically, medical devices with anticipated cybersecurity risks must comply with the amended Article 12, Section 3 of the Essential Principles starting April 1, 2024.

Compliance with JIS T 81001-5-1

Applicable medical devices are required to comply with IEC 81001-5-1:2021 (JIS T 81001-5-1:2023). The incorporation into the Essential Principles signifies that medical device software developed without compliance with IEC 81001-5-1 will not be approved or certified in certification or approval applications. In other words, IEC 81001-5-1 is now a mandatory standard for certification and approval applications.

IEC 81001-5-1 is a process standard that specifies security-related activities to be implemented throughout the entire medical device software life cycle. The activities specified in this standard are derived from IEC 62443 (Industrial Control Systems Security Processes) and are intended to be implemented alongside requirements specified in IEC 62304 (Medical Device Software Life Cycle Processes).

Addressing Transition Health Software

IEC 81001-5-1 includes Annex F, “Transition Health Software,” which addresses existing medical devices. Transition health software refers to existing medical device software that was developed before the establishment of IEC 81001-5-1 requirements.

Starting April 1, 2024, existing medical devices must also comply with Article 12, Section 3 of the Essential Principles. For these existing devices, compliance is permitted through an assessment conducted in accordance with Annex F provisions, evaluating whether security risks are reasonably and appropriately mitigated under the current threat environment.

For existing products that have not undergone new development, compliance can be demonstrated through application of Annex F of JIS T 81001-5-1. However, even in this case, continuous monitoring of security threats, vulnerability remediation as needed, and post-market security management are required.

Compliance with Software Bill of Materials (SBOM)

Importance of SBOM

Section 8 of IEC 81001-5-1, “Software Configuration Management Process,” positions the Software Bill of Materials (SBOM) as a crucial process element. An SBOM is an organized inventory of software components included in a medical device—such as open-source software, commercial software, and internally developed software—along with information such as component names, originators, versions, and build numbers.

The IMDRF supplementary guidance “Medical Device Cybersecurity Deeper Dive: Legacy Devices and Transparency of Software Components” specifies detailed requirements for SBOM creation and management. To ensure medical device cybersecurity, manufacturers are required to create SBOMs and provide them to end users, including healthcare institutions and healthcare professionals.

Through SBOM provision, healthcare institutions can identify the software components contained in their medical devices and assess the impact when known vulnerabilities are discovered. Simultaneously, manufacturers can more efficiently collect vulnerability information, evaluate it, and prioritize remediation efforts.

Practical Considerations for SBOM Creation

The use of dedicated tools is recommended for SBOM creation and management. However, the second edition of the guidance does not specify the specific tools to be used, leaving the selection of optimal methods to each organization based on its circumstances.

Information to be included in an SBOM includes component names, originators (vendors), version numbers, license information, and known vulnerability information. SBOMs must be updated according to the product life cycle, particularly when new vulnerabilities are discovered or software components are updated.

Relationship Between the Medical Device Cybersecurity Implementation Guidance and IEC 81001-5-1

Differences in Regulatory Position

Clear guidance on the specific division of labor between the “Guidance for Implementing Cybersecurity in Medical Devices” and “IEC 81001-5-1” has not been formally specified. However, there are important differences in their regulatory positions.

The guidance is a policy document based on IMDRF principles, aimed at establishing organization-wide cybersecurity implementation systems for medical device manufacturers. In contrast, IEC 81001-5-1 is an international standard directly referenced in the Essential Principles and is a legally binding process standard that must be complied with.

Integrated Approach to Both Requirements

Therefore, medical device manufacturers must develop an integrated system addressing both requirements and create corresponding procedures. To accomplish this, manufacturers must gain a deep understanding of both standards, conduct gap analysis specific to their products and organizational structure, and clearly establish their own policies and procedures.

In practical terms, manufacturers must establish specific development and maintenance processes based on the life cycle activities specified in IEC 81001-5-1 (such as security requirements analysis, threat mitigation testing, vulnerability evaluation, security design, and security testing), and incorporate these processes into the organization-level cybersecurity implementation systems required by the guidance.

Inspection Confirmation Points

During device approval and regulatory inspections, the following aspects are confirmed:

Documentation demonstrating compliance with Article 12, Section 3 of the Essential Principles must be prepared, based on compliance with IEC 81001-5-1. This includes documents identifying security requirements, records of threat mitigation testing implementation, vulnerability evaluation results, and plans and results for ongoing security management.

Simultaneously, inspections confirm the existence of an organizational cybersecurity implementation system based on the guidance, establishment of cybersecurity committees or similar bodies, coordination mechanisms between relevant departments, and implementation status of employee education and training programs.

Post-Market Security Management and Vulnerability Response

Responsibility Throughout the Product Life Cycle

IEC 81001-5-1 positions post-market security management (Sections 6 through 9) as a critical component. Cybersecurity threats to medical devices change over time, and security measures implemented only during the pre-market design phase may be insufficient to maintain risks at acceptable levels.

Therefore, manufacturers must continuously collect vulnerability information after product market release, evaluate whether known vulnerabilities affect their products, and develop and provide vulnerability patches as necessary.

Coordinated Vulnerability Disclosure

IMDRF guidance requires the implementation of Coordinated Vulnerability Disclosure (CVD), which involves establishing a process for collecting and evaluating vulnerability information, developing and preparing mitigation and supplementary measures, and disclosing information to responsible parties, including healthcare institutions and professionals.

Manufacturers are required to establish a clear point of contact (contact information) capable of handling urgent cybersecurity inquiries and maintain a system for promptly responding to vulnerability reports from healthcare institutions.

Participation in Security Information Sharing Organizations

Medical device manufacturers are expected to contribute to industry-wide threat information sharing by participating in organizations that share updated information about security threats and vulnerabilities, such as ISAOs.

Key Understanding Points for Beginners

For those newly responsible for medical device cybersecurity compliance, the following key points should be understood:

First, the “Guidance for Implementing Cybersecurity in Medical Devices” provides policy direction for manufacturers’ organization-wide cybersecurity engagement and serves as the basis for system confirmation during regulatory inspections. In contrast, “IEC 81001-5-1” is an international standard that specifies concrete activities to be implemented in actual medical device software development and maintenance processes and serves as the basis for compliance confirmation during approval applications.

The two requirements have a complementary relationship, with manufacturers required to implement the process requirements of IEC 81001-5-1 within the organizational structure demanded by the guidance. It is essential for medical device manufacturers to recognize that compliance with both requirements is mandatory, rather than assuming that compliance with one is sufficient.

Specifically, for newly developed products, security requirements must be clarified from the planning stage, security measures must be incorporated during design, continuous security testing must be conducted during development, and vulnerability monitoring and remediation must be maintained post-market—achieving comprehensive lifecycle security management. For existing products, reasonable measures under the current threat environment are necessary, based on the concept of transition health software in Annex F.

Conclusion and Future Perspectives

In the medical device industry, the “Guidance for Implementing Cybersecurity in Medical Devices” and “IEC 81001-5-1” serve as two complementary key regulatory requirements. Compliance with these requirements became formally mandatory starting April 1, 2024, necessitating strategic and organization-wide measures by medical device manufacturers.

Going forward, the medical device industry is expected to experience continued maturation of security implementation practices. Through improved SBOM management, accelerated vulnerability remediation, and enhanced post-market surveillance, the security levels of medical devices used in healthcare facilities are expected to improve, ultimately enhancing patient safety.

Simultaneously, manufacturers must monitor developments in international standards and industry guidance addressing new security risks associated with technological evolution, particularly AI/ML-enabled medical devices. For medical device manufacturers, continuous knowledge updates and improvements to implementation systems will be critical ongoing challenges.

Understanding Process Validation in Medical Device Manufacturing Previous post Why Does the FDA Require a Design History File? Next post

Related post

Comment

There are no comment yet.