Cyber Security in Medical Devices (Part 1)
With the increasing use of wireless, Internet and networked devices, effective cybersecurity has become increasingly important to ensure the functionality and safety of medical devices.
In recent years, cybersecurity vulnerabilities in medical equipment have led to the discovery that the equipment could be cracked, resulting in the suspension of use and recall/refurbishment of the equipment.
Fortunately, however, there have been no cases of health hazards related to cybersecurity in either Japan or the United States.
In light of this situation, authorities in Japan, the U.S., Europe, and other countries, as well as the IMDRF, have issued guidance on cybersecurity, requiring medical device manufacturers to take cybersecurity measures.
Cybersecurity for medical devices in Japan is still on its way toward considering the implementation of the IMDRF Guidance.
What is Cyber Security?
Cyber security in Japan is defined in Article 2 of the “Cyber Security Basic Law” as follows
Cyber Security Basic Law
Article 2 (Definition) The term “cyber security” as used in this Act means the measures necessary to prevent leakage, loss or damage of information recorded, transmitted, transmitted or received by electronic, magnetic or other means unrecognizable to human perception (hereinafter referred to as “electromagnetic means” in this Article), and to ensure the security and reliability of information systems and information communication networks. (2) The term “cyber security” as used in this Act means measures necessary to prevent leakage, loss or damage of information recorded, transmitted, transmitted or received by electronic, magnetic or other means not recognizable to human perception (hereinafter referred to as “electromagnetic means” in this Article), and other measures necessary for the safe management of said information, and measures necessary to ensure the safety and reliability of information systems and information communication networks (including measures to ensure the security of information communication networks and electromagnetic means) (i) Measures necessary to ensure the security of information systems and information and telecommunications networks (including measures necessary to ensure the security and reliability of information and telecommunications networks or recording media pertaining to records made by electromagnetic means (hereinafter referred to as “electromagnetic recording media”) (including measures necessary to prevent damage caused by unauthorized activities on computers through information and telecommunications networks or recording media pertaining to records created by electromagnetic means (hereinafter referred to as “electromagnetic recording media”)). (hereinafter referred to as “electromagnetic record media”) and that the state of the electromagnetic record media is properly maintained and managed.
In other words, cybersecurity consists of the following two points
- The following measures shall be taken with respect to information recorded, transmitted, transmitted, or received by electromagnetic means- Prevention of leakage, loss, or damage, and other measures necessary for the secure management of said information; measures necessary to ensure the security and reliability of information systems and information communication networks Necessary measures to ensure the safety and reliability of information systems and information and telecommunications networks
- Proper maintenance of its condition .
In addition, the Ministry of Health, Labour and Welfare and the Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications require compliance with security management of medical information systems in the following two guidelines.
- Ministry of Health, Labour and Welfare “Guidelines for the Safe Management of Medical Information Systems Guidelines“
- Ministry of Economy, Trade and Industry and Ministry of Internal Affairs and Communications “Safety Management Guidelines for Manufacturers of Medical Devices Providing Information Systems and Services Handling Medical Information Safety Management Guidelines for Manufacturers of Medical Devices Providing Information Systems and Services that Handle Medical Information“.
For this reason, medical device manufacturers tend to ensure cybersecurity by meeting the requirements of the above guidelines. .
Cyber Security in Medical Devices
However. The purpose of these guidelines’ requirements is to protect patient information under the Privacy Act, Ensuring cybersecurity is not the primary focus.
In medical devices, it is not about information security, but about the health risks to patients that medical devices can cause by being hacked. The safety assurance regarding health hazards
If a medical device is subjected to a cyber-attack, it could lead to interruption of testing or incorrect diagnosis if it is a testing or diagnostic device.
If the device is used for treatment, the occurrence of events such as interruption of treatment, and if the program is used for dose calculation of radiotherapy, the possibility of over-irradiation or under-irradiation may occur.
The FDA requested medical device manufacturers and healthcare organizations to take steps to ensure that appropriate safeguards are in place to mitigate the risk of failure from cyber attacks that may occur through malware intrusion into medical devices and unauthorized access to medical devices and hospital network settings.
However, so far there have been no cases of health hazards related to cybersecurity as warned by the FDA.
IMDRF Cyber Security Guidance .
On March 18, 2020, IMDRF issued “Principles and Practices for Medical Device Cybersecurity“.
Accordingly, in May 2020, the MHLW issued a “International Medical Device Regulators Forum (IMDRF: International Medical Device Regulators Forum) Guidance on Medical Device Cybersecurity Principles and Practices” and issued a request for awareness.
A document translating the IMDRF guidance is attached to this circular request.
The IMDRF Guidance is a compilation of general principles and best practices for cybersecurity throughout the medical device lifecycle from an industry ecosystem-wide perspective.
In Japan, from the viewpoint of improving safety related to cyber security of medical devices, the IMDRF Guidance is being considered for implementation by medical device manufacturers, distributors, and other related parties in about the next three years (2023).
The scope of the IMDRF Guidance is not information security, as noted above, but rather threats to cybersecurity among the safety-related risks under ISO 14971. (See figure).
Legacy medical devices
Legacy medical devices are medical devices that cannot be reasonably protected against current cybersecurity threats.
Products that have been sold in the past and are already in use may qualify as legacy medical devices.
In order to appropriately address cyber security of medical devices, it is important for manufacturers and distributors of medical devices to take sufficient measures to reduce risks from cyber attacks after conducting risk analysis based on the characteristics of individual medical devices in cooperation with relevant parties, including medical professionals.
related product[blogcard url=https://xn--2lwu4a.jp/qms-md/ title=”QMS（手順書）ひな形 医療機器関連” ]