Strengthening Cybersecurity Measures for Medical Institutions and Medical Devices (Request)

On March 1, 2022, the Ministry of Health, Labour and Welfare (MHLW) issued an administrative notice titled “Strengthening Cybersecurity Measures for Medical Devices, etc. (Request).” This notice was likely issued in response to the cyberattack on a Toyota-related company that occurred in late February 2022, when Kojima Industries Corporation, a Toyota Group supplier, was targeted by a ransomware attack that disrupted operations.

The main text of the request was issued jointly by the Ministry of Economy, Trade and Industry (METI), the Financial Services Agency, the Ministry of Internal Affairs and Communications, the Ministry of Health, Labour and Welfare, the Ministry of Land, Infrastructure, Transport and Tourism, the National Police Agency, and the Cabinet Cyber Security Center (NISC). This indicates that the notice was issued not only for medical devices but also across various industries.

Development of Medical Device Cybersecurity Guidance in Japan

Regarding medical device cybersecurity guidance in Japan, the plan to issue a notification based on the International Medical Device Regulators Forum (IMDRF) guidance by fiscal year 2023 has been realized. In April 2023, the MHLW published the “Guidebook for Introducing Cybersecurity in Medical Devices” (医療機器のサイバーセキュリティ導入に関する手引書), which reflects the principles outlined in IMDRF’s “Principles and Practices for Medical Device Cybersecurity” (March 2020) and subsequent updates.

This guidance aligns with international frameworks including:

• IMDRF Cybersecurity Guidance (2020 and subsequent updates)
• FDA’s premarket cybersecurity guidance and postmarket management expectations
• EU MDR (2017/745) and IVDR (2017/746) cybersecurity requirements, particularly under General Safety and Performance Requirements (GSPR)
• IEC 81001-5-1 (Health software and health IT systems safety, effectiveness and security)
• ISO 14971 (Application of risk management to medical devices) as applied to cybersecurity risks

Cybersecurity Risks in Medical Devices

When medical devices utilize operating systems with security vulnerabilities or open-source software components, there are risks of cyberattacks and malware infections. The increasing connectivity of medical devices through networks and the Internet of Medical Things (IoMT) has expanded the attack surface, making robust cybersecurity measures essential for patient safety and data protection.

Modern medical devices often incorporate Commercial Off-The-Shelf (COTS) software, third-party libraries, and legacy components that may contain known vulnerabilities documented in databases such as the Common Vulnerabilities and Exposures (CVE) system. Manufacturers must implement Software Bill of Materials (SBOM) practices to track and manage these components throughout the product lifecycle.

Critical Elements of Cybersecurity Management

What is crucial for cybersecurity is that when a security vulnerability is discovered in a medical device product, manufacturers must promptly notify users such as medical institutions and request that they take measures such as disconnecting the device from the network. To enable this, communication systems must be established in advance.

Secure Communication Protocols

It is important to contact medical institutions through trusted channels, and information about vulnerabilities must not be published on websites or other public platforms. Public disclosure could make medical devices attractive targets for malicious actors. Instead, manufacturers should utilize secure communication channels such as:

• Direct encrypted communication to registered healthcare facilities
• Coordinated vulnerability disclosure programs
• Collaboration with Computer Security Incident Response Teams (CSIRTs) or Information Sharing and Analysis Centers (ISACs)
• Field Safety Notices (FSNs) or Field Safety Corrective Actions (FSCAs) as required by regulatory authorities

Timely Patch Development and Distribution

At the same time, it is essential to develop and distribute patches promptly. The vulnerability remediation process should follow established timelines:

• Critical vulnerabilities affecting patient safety: immediate action required
• High-severity vulnerabilities: patches within 30 days
• Medium and low-severity vulnerabilities: patches according to risk assessment

Manufacturers must also consider the validation and verification requirements for patches to ensure they do not introduce new risks or adversely affect device performance. This includes regression testing and compatibility verification across different device configurations and network environments.

Challenges for Small and Medium-Sized Enterprises

Small and medium-sized enterprises (SMEs) may hesitate to announce vulnerabilities even when discovered because disclosure could impede product sales and damage company reputation. However, if vulnerabilities are left unaddressed, they may cause significant harm to patients and healthcare institutions. Regulatory authorities worldwide emphasize that patient safety must take precedence over commercial considerations.

To support SMEs in fulfilling their cybersecurity obligations, industry organizations and regulatory bodies have developed resources including:

• Simplified cybersecurity frameworks tailored to resource-limited organizations
• Templates for vulnerability disclosure and patch management processes
• Collaboration platforms for sharing threat intelligence
• Guidelines for minimum viable cybersecurity practices

Lifecycle Cybersecurity Support Obligations

Furthermore, as long as products that were shipped in the past are being used at medical institutions and other facilities, cybersecurity support should continue throughout the product’s intended operational lifetime. This concept of “cradle-to-grave” cybersecurity responsibility is increasingly recognized in regulatory frameworks globally.

The duration of cybersecurity support should be clearly defined in the product’s technical documentation and communicated to users at the time of purchase. Factors determining support duration include:

• Expected useful life of the device
• Availability of security updates for underlying COTS components
• Evolution of the threat landscape and emerging vulnerabilities
• Regulatory requirements in applicable jurisdictions

End-of-Support Planning

If support must be discontinued, it is necessary to notify users by a predetermined timeframe that was agreed upon in advance. Best practices for end-of-support planning include:

• Providing at least 12-24 months advance notice before terminating cybersecurity support
• Offering migration pathways to newer products or alternative solutions
• Conducting final security assessments and providing risk mitigation guidance for continued use
• Documenting the end-of-support decision and rationale for regulatory submissions
• Coordinating with healthcare institutions to plan for device replacement or network isolation

Regulatory Context and Compliance Requirements

The evolving regulatory landscape requires manufacturers to integrate cybersecurity throughout the total product lifecycle (TPLC), from initial design through post-market surveillance. Key regulatory expectations include:

Regulatory Authority	Key Requirements
Japan (MHLW/PMDA)	Compliance with 2023 Cybersecurity Guidebook; incorporation of IMDRF principles; demonstration of cybersecurity risk management as part of overall risk management per Pharmaceutical and Medical Device Act
United States (FDA)	Premarket: Cybersecurity in medical devices must follow FDA guidance; Postmarket: Section 524B of FD&C Act requires monitoring and addressing cybersecurity vulnerabilities
European Union (EU MDR/IVDR)	GSPR Annex I requirements for cybersecurity; demonstration of state-of-the-art cybersecurity measures; post-market cybersecurity vigilance and updates
International (IMDRF)	Principles-based framework emphasizing security by design, risk management, transparency, and coordinated vulnerability disclosure

Conclusion

Cybersecurity in medical devices is no longer optional but a fundamental aspect of device safety and effectiveness. Manufacturers must adopt a proactive, lifecycle-based approach to cybersecurity that prioritizes patient safety while maintaining transparency with users and regulatory authorities. As cyber threats continue to evolve, ongoing vigilance, collaboration across stakeholders, and commitment to continuous improvement remain essential to protecting patients and healthcare infrastructure from cybersecurity risks.

The 2022 notice from Japanese authorities represents an important milestone in raising awareness of these critical issues, and the subsequent publication of detailed guidance in 2023 provides manufacturers with practical frameworks for implementing robust cybersecurity practices in compliance with both domestic and international standards.