Medical Device Cybersecurity (Part 1)

By /

Medical Device Cybersecurity (Part 1)

Introduction

The increasing use of wireless devices, internet connectivity, and networked medical equipment has significantly elevated the importance of effective cybersecurity in ensuring the functionality and safety of medical devices. In recent years, incidents have emerged where medical device cybersecurity vulnerabilities have been discovered, leading to device compromises, recalls, and retrofit requirements. Recognizing these emerging threats, regulatory authorities in the United States, Europe, Japan, and other countries, along with the International Medical Device Regulators Forum (IMDRF), have issued cybersecurity guidance and are now requiring medical device manufacturers to implement appropriate cybersecurity measures. Medical device cybersecurity in Japan has progressed from the initial evaluation of IMDRF guidance adoption to the current implementation phase.

Defining Cybersecurity

In Japan, cybersecurity is defined in Article 2 of the Cybersecurity Basic Law (Saibā Sekiuriti Kihon Hō) as follows:

Cybersecurity Basic Law

Article 2 (Definition) Under this law, “cybersecurity” refers to the implementation of necessary measures to prevent unauthorized disclosure, loss, or damage to information recorded, transmitted, or received by electronic, magnetic, or other means imperceptible to human perception (hereinafter referred to as “electromagnetic means”), as well as necessary measures to ensure the safety and reliability of information systems and information and communications networks (including measures to prevent damage from unauthorized access to computers through information and communications networks or storage media created through electromagnetic means). This state shall be appropriately maintained and managed.

In essence, cybersecurity comprises two fundamental elements. First, it requires implementing necessary measures to prevent unauthorized disclosure, loss, or damage to information recorded, transmitted, or received by electromagnetic means, thereby ensuring proper information security management. Second, it requires implementing measures to ensure the safety and reliability of information systems and information and communications networks. Third, the state achieved through these measures must be appropriately maintained and managed.

Additionally, the Ministry of Health, Labour and Welfare (MHLW), along with the Ministry of Economy, Trade and Industry (METI) and the Ministry of Internal Affairs and Communications (MIC), mandate compliance with information security management through the following two guidelines:

  • MHLW “Guidelines for the Security Management of Medical Information Systems”
  • METI and MIC “Guidelines for the Provision of Medical Information Systems and Services by Medical Device Manufacturers Regarding Safety Management”

Many medical device manufacturers tend to ensure cybersecurity by complying with the requirements specified in these guidelines.

The True Meaning of Cybersecurity in Medical Devices

However, the primary objective of the requirements in these guidelines is the protection of patient information based on the Act on the Protection of Personal Information (APPI), rather than the protection against cyber attacks that threaten the functional safety of medical devices. Cybersecurity in medical devices must not be understood merely as information security. Instead, it must serve to ensure safety against potential health hazards to patients that could result from medical devices being compromised through cyber attacks.

When a medical device is subjected to a cyber attack, the consequences vary significantly depending on the type of device involved. For diagnostic or monitoring devices, such attacks could lead to test interruptions or generation of inaccurate diagnostic results. For devices used in therapeutic applications, attacks could cause treatment interruptions or implementation of unintended treatment protocols due to unauthorized modification of programmed protocols. For example, if the dose calculation software of a radiotherapy device becomes the target of a cyber attack, the consequences could be severe, potentially resulting in either overdose or underdose radiation delivery. The possibility of direct patient harm through compromise of a medical device’s autonomous control functions cannot be dismissed.

FDA Warnings and Actions

The U.S. Food and Drug Administration (FDA) has issued requirements to medical device manufacturers and healthcare facilities to implement appropriate security safeguards to mitigate the risk of failures resulting from potential cyber attacks that could occur through malware infiltration into medical devices or through unauthorized access to medical device or hospital network configurations. The FDA has issued multiple guidances and warnings emphasizing the importance of risk management, secure product development lifecycles, vulnerability management, and collaboration with healthcare facilities.

IMDRF Cybersecurity Guidance

On March 18, 2020, IMDRF released “Principles and Practices for Medical Device Cybersecurity.” Subsequently, in May 2020, the Ministry of Health, Labour and Welfare issued a notification regarding “the publication of guidance by the International Medical Device Regulators Forum (IMDRF) on the principles and practices of medical device cybersecurity.” This notification was accompanied by a Japanese translation of the IMDRF guidance.

The IMDRF Guidance consolidates general principles and best practices for medical device cybersecurity throughout the device lifecycle from the perspective of the entire industry ecosystem. The scope of this guidance extends beyond manufacturers to encompass all stakeholders involved in medical device use, including healthcare facilities, network administrators, and patients, thus promoting a comprehensive, ecosystem-wide approach to cybersecurity.

The scope of application of the IMDRF Guidance is not information security for the purpose of patient information protection as previously mentioned, but rather addresses safety-related risks based on ISO 14971, specifically those associated with cybersecurity threats. In other words, the guidance focuses on cyber attacks that could affect the functional safety of medical devices.

In Japan, the government has been progressively implementing the IMDRF Guidance to enhance the safety of medical devices from a cybersecurity perspective. Medical device manufacturers and related stakeholders are currently in the implementation phase of these requirements.

Addressing Legacy Medical Devices

Legacy medical devices refer to medical devices that cannot reasonably defend against contemporary cybersecurity threats due to technological limitations and lack of security awareness at the time of their development. Products sold in the past that remain in clinical use are likely to qualify as legacy medical devices, as they possess insufficient security features.

Since legacy medical devices continue to be used in clinical environments, manufacturers must consider alternative risk mitigation strategies for existing products where adding security functions is technically challenging or economically impractical. These alternative approaches may include network segmentation and isolation, enhanced access controls, periodic monitoring and anomaly detection systems, and education and training for healthcare personnel and other stakeholders involved in device operation and maintenance.

Key Perspectives for Implementation

To appropriately address cybersecurity in medical devices, detailed risk analysis must be conducted with the cooperation of relevant stakeholders, including healthcare professionals, clinical engineers, and IT personnel, taking into account the characteristics of individual medical devices, their use environments, and operational contexts. Based on the results of this risk analysis, manufacturers must implement comprehensive measures to mitigate cybersecurity threats. Simultaneously, healthcare facilities themselves must regularly evaluate the vulnerabilities of their IT infrastructure and maintain close collaboration with medical device manufacturers to sustain security levels across the entire ecosystem.

(To be continued)

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top