Cyber security measures are essential.

Cyber security measures are essential.

Effective April 1, 2023, cybersecurity measures will be included in the basic requirements standards.
This has made cybersecurity measures mandatory for companies that manufacture and sell medical devices that use the program.
Specifically, a third paragraph will be added to Article 12, Considerations for Programmed Medical Devices, of the Basic Requirements Criteria, as follows

(Considerations for medical devices using the program)

Article 12 Omitted
2 abbreviation
3 For medical devices using programs that are used in connection with other devices and networks, etc., or medical devices that may be subject to unauthorized access and attack access from outside, appropriate requirements must be identified based on the operating environment and network usage environment for the medical devices, and controls must be in place to reduce such risks. Cyber security risks that may interfere with the functions of the medical devices or cause safety concerns must be identified and evaluated, and controls must be in place to reduce such risks.

In addition, such medical devices must be designed and manufactured in accordance with a plan to ensure cybersecurity during the entire life cycle of such medical devices.
This is in response to the March 2020 International Medical Device Regulators’ Forum (IMDRF) decision to adopt the “Guidance on Medical Device Cybersecurity Principles and Practices” was compiled, which will revise the basic requirements standards for medical devices using the program.
As a requirement to ensure cyber security as compiled in the IMDRF Guidance,

  1. Have a plan in place to examine medical device cybersecurity across the entire product life cycle
  2. Designed and manufactured to reduce cyber risk
  3. Establish minimum requirements for hardware, network, and IT security measures needed for a suitable operating environment

The amendment will incorporate the three perspectives into the basic requirements criteria.

Two specific measures are required to ensure the following

  1. Medical devices must be resistant to cyber-attacks as a product (vulnerabilities that could cause cyber-attacks must be addressed and operate properly), and medical devices must be designed and manufactured before marketing so that they do not become a source of infection (they must be protected from cyber-attacks and not allow the infection (to protect against cyber-attacks and to prevent the spread of infection).
  2. In addition, appropriate post-marketing management (use in the intended environment of use, correction of vulnerabilities (patches, updates), response to incidents, etc.) by the marketing authorization holder and appropriate management within the medical institution, etc., which is the user, must be mutually conducted.

The author also receives many consultations on cyber security measures on a daily basis.
Cybersecurity measures should close security holes (vulnerabilities) in the medical device program itself.
A security hole in a product just launched on the market would be a serious problem. For this reason, designers of medical device programs need to collect the latest security information.

On the other hand, medical institutions also need to take measures such as installing firewalls and closing unnecessary network ports.
Similarly, if the medical device program is not installed in a medical institution but rather in the cloud, it is necessary to take measures such as installing firewalls. In other words, it is too late to take countermeasures after a security hole is found, so countermeasures by the network infrastructure itself are necessary.

related product

[blogcard url= title=”QMS(手順書)ひな形 医療機器関連” ] [blogcard url= title=”【セミナービデオ】サイバーセキュリティの具体的な手順書作成セミナー 【サイバーセキュリティの手順書配布】”] [blogcard url= title=”サイバーセキュリティ規程・手順書・計画書 “] [blogcard url= title=”【VOD】 医療機器サイバーセキュリティセミナー”] [blogcard url= title=”【VOD】【手順書付き】医療機器ソフトウェア規制対応セミナー”]


Related post


There are no comment yet.