Standards & Practices in Medical Device Security

Guide to Medical Device Security

The rapidly-evolving climate of medical device security standards and practices presents challenges for you and your organization.  

As a medical device manufacturer, understanding your cybersecurity risks and obligations will help identify the steps you need to take to ensure you’re able to manage security risks and deliver best-practice medical device security

What are Your Key Medical Device Security Concerns? 

A 2019 report found that 82% of IoT devices used by health providers or vendors were targeted by cyberattacks. In order to best protect your organization’s devices from a cybersecurity threat, you first need to identify the risks.  

– External threats: There are many malicious actors with criminal intentions who will attempt to attack your medical devices. They often look for monetary payments either directly via ransomware and crypto-mining viruses, or indirectly through selling stolen information.

Internal threats, vendor and contractor access: Using a VPN exposes your medical devices to the possibility of attacks by internal bad actors who use their access rights for malicious purposes.

– Improperly secured equipment and default passwords: This may seem obvious, but it’s one of the most overlooked sources of a security breach. If your clients do not personalize the default password you set on your device, it may open the door for hackers looking to penetrate vulnerable devices, even after you’ve handed them over to your client.

To properly protect against cyber threats and to protect both health information and medical device software, the US Food and Drug Administration (FDA) and other international organizations have drafted standards and protocols to mitigate serious cybersecurity risks

It may seem like a minefield of rules and regulations but read on for a breakdown on what you need to know about medical device security to keep your business and your client’s data safe.

Medical Device Security Guidelines 

US FDA Medical Device Security Guidance 

The FDA regulates medical devices in the United States and dictates cybersecurity regulations that must be followed by device manufacturers and healthcare delivery organizations. 

The FDA has issued two essential medical device software documents, as well as one standard of practice. They are:

1. US FDA Guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices

This document is your first stop, providing guidance and recommendations on how to ensure patient safety and device security.  It can guide your decisions on device design and labelling and provide recommendations on what documentation to include in premarket submissions for devices with cybersecurity risk

2. US FDA Guidance: Post-Market Management of Cybersecurity in Medical Devices 

In 2016, the FDA issued guidelines to help your company follow best–practice protocols for establishing an effective cybersecurity program. This document will help you create good information sharing policies to prevent unauthorized access to patient’s health information collected by your clients

The FDA encourages manufacturers to address cybersecurity threats throughout the product lifecycle – from design and production through to deployment and maintenance of the device. 

Your primary concern as a device manufacturer is to provide a safe and effective product. To achieve this, look for a medical device security company with regulatory experience in risk assessments, prevention, and deployment efficiency. 

RBC’s electromechanical medical devices can provide you with tailored, agile solutions for your medical device security needs.

3. UL2900-2-1: Safety Software Cybersecurity for Network-Connectable Products 

According to the GSM Association, the number of IoT devices is expected to grow to 25.1 billion by 2025. An industry focus on developing a connected ecosystem is the likely cause of the increase, and medical devices are no exception.

Connected medical devices increase the exposure of key information to cyber threats. This document includes a series of medical device software standards for cyber security. These standards will assist your company in ensuring medical device cybersecurity as well as information security to protect both the device and patient information.

International Medical Device Security Standards

If your company is working in an international market, knowing the internationally recognized medical device security standards and practices is critical.

1. IMDRF WG/N60: Principles and Practices for Medical Device Cybersecurity

This document was developed at the beginning of the Coronavirus pandemic by the International Medical Device Regulators Forum (IMDRF). 

While there is significant overlap with the FDA guidelines, this document will provide you with internationally relevant, comprehensive guidelines.

2. ISO/IEC 27001:2013: Information Security Management 

This document belongs to a family of documents known as ‘27000’. It explains how to identify a manufacturer who has taken a systematic approach to protecting all information by setting out how medical device software should function. To ensure you meet these standards, you need a specialized medical device security manufacturer. Look for a company who has incorporated device security into every stage of the manufacturing process.

3. IEC 62304:2006: Medical Device Software Life-Cycle Processes

If you are applying for ISO 14971 risk management and you already have a quality management system in place, then this document will form part of your application. 

By complying with IEC 62304 you ensure that your software risk management protocols protect both device security and patient safety.

4. AAMI TIR97 & TIR57 2019: Principles for Medical Device Security: Post-Market Risk Management

These two Technical Information Reports (TIRs) inform a manufacturer of the need to implement long-term security mechanisms.

Making Sense of the Guidelines

Given the number of different FDA and international guidelines and protocols, it is no surprise that even device manufacturing professionals can be overwhelmed when it comes to medical device security

Your clients depend on you to comply with all the requirements. To do so, you will need a state-of-the-art medical device security system. 

Your workplace can improve efficiency by choosing expert strategic partners to provide you with solutions to tasks that do not fit within your key capabilities. To find out more about how strategic partnerships can give your company a competitive advantage, click here.

Standards & Practices in Medical Device Security

Medical Device Security Best Practices 

The FDA has compiled a list of medical device security best practices to protect medical device manufacturers from growing cybersecurity risks. Your product’s information security policies will need to continuously evolve to respond to changing threats. 

Here are some key tips: 

1. Limit access to trusted users. By placing authentication requirements on your devices (password, biometric, or smart card) you provide first-line cybersecurity defense to all your medical devices.

2. Encrypt. Encrypting data will add another layer of defense against potential assailants.

3. Create protocols to recognize relevant staff for each device. This will help identify breaches or cyber threats quickly, so your team can take steps to protect health information

4. Keep firewalls and anti-malware programs up-to-date. These programs will run in the background to detect and remove malicious software to safeguard information security on all your medical devices.  

How Do I Deliver Best-Practice Medical Device Cybersecurity?

Complying with all the guidelines and standards can be challenging. Look for a medical device manufacturer that complies with federal and international best-practice and can be your strategic partner in delivering state-of-the-art medical device security

RBC Innovations’ Medical Device Design Services can provide you with a full-service medical device design and development system that is tailored to your needs. 

With a comprehensive design process that prioritizes security at every stage of development, it’s no wonder why seven of the top 10 medical device manufacturers in the world trust RBC Innovations. Their systems comply with EN ISO 13485:20016 certification as well as a quality management system based on 21 CFR 820 FDA and US FDA cGMPs. 

RBC Innovations is flexible and adaptable and will help find a solution to enable you to reach your operational goals. Contact us today to ensure your device is manufactured with total security and reaches the market faster.

Need help with your medical device?

Let Vantage MedTech show how to bring your idea from concept to prototype to FDA/CE approval with a free custom project analysis.