With the new EU MDR, the risks resulting from increasingly networked technology are moving more into the regulatory focus: IT security in products or applications requiring approval is becoming more important – the resulting risks must be taken into account during the development, manufacture and operation of these products. Manufacturers of medical devices are facing new challenges. They must be prepared for the IT security of the products they manufacture to be given greater consideration in the approval process. Randolf Skerka has presented this topic in an article published by medizin & technik.
The approval process for medical devices has so far focused on product safety. This is now changing. The European Medical Device Regulation (EU) 2017/745 (MDR) replaces the Directives on medical devices (93/42/EEC, MDD) and active implantable medical devices (90/385/EEC, AIMDD). Its amendment became necessary due to increasing digitalization – medical technology and products no longer function autonomously, but within networked systems, which makes them vulnerable in principle. This has brought the risk of personal injury and IT security into focus. This is because medical devices have a direct influence on the patient’s body – be it infusion pumps or imaging procedures such as X-rays or computer tomography. Manufacturers are now obliged to eliminate or minimize potential risks. In addition, the safety level of a networked medical device brought onto the market changes over time – for example, if new safety gaps arise. This also brings with it new requirements for the approval process.
New requirements for Diga as a medical device
The necessary change in perspective towards cyber security is a challenge for manufacturers: Until now, their focus has been on ensuring desired functions. This was often based on the best case scenario. However, IT security takes the opposite perspective: The prevention of undesired functions and therefore the question of how technology can be manipulated. In addition, medical devices now also include digital health applications (Diga), such as apps on prescription. These also have an indirect impact on the health of users – whether it is through reminder functions for taking medication or the provision of blood pressure data. The user relies on the accuracy of the information – and the manufacturer must be able to guarantee this.
Software is therefore no longer just a component of a medical device, but is becoming one itself. The MDR now covers this new reality; however, as usual, its requirements are not specific. Among other things, it is the task of the notified bodies responsible for testing the products – usually private companies such as TÜV or Dekra – to specify these requirements.
The BfArm is responsible for problems
In contrast to the approval of medicinal products, the Federal Institute for Drugs and Medical Devices (BfArM) is not involved in the marketing of medical devices. The prerequisite for this is the CE mark, the granting of which is subject to certain criteria. Here again, the notified bodies take over. The responsibilities for products that are already on the market are different: The BfArM is responsible for the central recording, evaluation and assessment of risks arising during application or use and for coordinating the measures to be taken in the event of problems with medical devices. These are collected centrally in the Euromed database and passed on to the operators. If findings are made regarding the impact of medical devices on patient safety, these must be escalated and rectified. As a rule, the product owners or operators are informed by the manufacturers.
An IT security concept is necessary
For approval, manufacturers must prove that they are able to develop secure products – this starts with security by design, which prevents future vulnerabilities during operation, and secure coding. In addition, the product must be secure in its subsequent use for the approval period – this includes vulnerability management in particular. New manufacturers who want to launch medical products on the market need to be given a helping hand to understand the approval process and its framework conditions; established manufacturers need technical or content-related support in the area of IT security and the development of new processes.
A partner such as SRC GmbH can provide support in the security process and in the creation and expansion of the IT security concept: This must be created in accordance with the IG-NB IT Security for Medical Devices questionnaire. The first step is to determine the protection requirements. This is followed by a threat analysis and a risk analysis with suitable measures to prevent hazards for patients, users and third parties. Vulnerabilities and their potential for damage are assessed. In addition, the security concept must be updated on an ongoing basis or event-based in order to cover the entire life cycle of a product. In the isolated systems of earlier times, however, IT was not subject to any changes after market launch.
The formal approval process is the core business of the Bonn-based company. The company is familiar with the problems faced by manufacturers, but also understands the mindset of the testing or notified body and can act as a mediator. The manufacturers’ priority is usually to reduce the approval time to a minimum and thus achieve a fast time to market. This can be achieved more quickly with a partner. SRC knows what the documents to be submitted must contain, can check their suitability, ensure the necessary quality and level of maturity and avoid queries.
IT security for medical devices
The healthcare system is a complex system for providing medical care and maintaining health. It is characterised by an above-average need for information, documentation and communication. At the same time, there is an extraordinarily pronounced demand for data integrity and confidentiality, as well as the availability of medical care processes.
With the new version of the MDR, the focus is shifting to IT security for the approval of medical devices. Manufacturers must be able to ensure this during development and later permanently during use in the field, thereby guaranteeing patient safety. This requires an IT security concept with components such as risk and vulnerability management – an ongoing task, as new risks must be continuously assessed. For manufacturers, this involves building up new skills – this is where an external partner can provide support.
SRC Security Research & Consulting GmbH from Bonn bundles the latest know-how in information technology and its security. Originating from the banking industry, the IT security expert SRC represents a central link between research and products or services.
