Author: Dirk Müller
Team Lead at BAYOOMED
Co-author: Sebastian Wittor
Project Manager Medical Engineering at BAYOOMED
In increasingly networked medical technology, the topic of cyber security is becoming ever more important. Medical devices that contain software or are networked must be protected against cyberattacks not only during the development and launch phase, but also throughout their entire life cycle. This continuous process is referred to as post-market cybersecurity.
It therefore includes all measures to ensure the confidentiality of personal data, the integrity of stored or transmitted information and the availability of the medical device within the scope of its intended purpose. As cyber risks can also lead to direct harm for patients, careful and continuous monitoring is therefore essential in terms of patient safety and compliance with regulatory requirements.
Why is post-market cybersecurity so essential?
The increasing connectivity of medical devices inevitably increases the risk of cyberattacks. Attacks can not only compromise sensitive data, but also impair the functionality of a device and thus endanger the health of patients. Proactive measures to protect against cyber threats are therefore essential to prevent these potentially serious consequences.
Regulatory requirements
In the European Union, manufacturers of medical devices are required to implement a robust Post-Market Surveillance (PMS) system. This system ensures that data on the performance and safety of products on the market is continuously recorded and evaluated.
The Medical Device Regulation (MDR) and the MDCG Guideline 2019-16 (“Guidance on Cybersecurity for Medical Devices”) explicitly emphasize that manufacturers must identify cyber risks and take appropriate protective measures. An important part of these requirements is the identification and assessment of vulnerabilities in software libraries and in so-called SOUPs (Software of Unknown Provenance) – for example on the basis of publicly accessible databases such as the NVD CVE (Common Vulnerabilities and Exposures).
Requirements for medical device manufacturers
Manufacturers must continuously collect and evaluate information on potential cyber threats. This involves not only regular vulnerability analyses, but also the evaluation of incidents involving similar products in order to derive recommendations for action at an early stage.
Implementation of cybersecurity risk management
Effective risk management includes the identification of software vulnerabilities, the assessment of potential risks and the implementation of suitable countermeasures. A positive risk-benefit comparison must always be proven and all remaining risks must remain acceptable.
Development of vigilance plans
In the event of cyber incidents, a quick and structured approach is crucial. In certain cases, manufacturers have an obligation to report to authorities such as the BfArM and the BSI if serious information security incidents occur. An incident response plan should therefore be drawn up in advance in order to limit damage, inform users and initiate corrective measures immediately.
Implementation of update management
Regular updates and patches are essential to close known vulnerabilities. However, these updates must not impair the functionality of the product. It must also be ensured that no new risks arise as a result of the updates.
Documentation and reporting
All measures taken in connection with cybersecurity must be fully documented. In addition, regular reports – such as a PMS report or a Periodic Safety Update Report (PSUR) – must be prepared. These documents, supplemented by a comprehensive PMS plan, serve as proof of compliance with regulatory requirements.
Best practices for post-market cybersecurity
Security aspects should be integrated into product development right from the start. This includes the early consideration of security functions, regular threat analyses and a recurring review of the security concept.
Software Bill of Materials (SBOM)
A detailed SBOM lists all software components and libraries used, including version details. In the event of newly discovered vulnerabilities, it is possible to determine precisely which software components are affected and what countermeasures are required. This enables complete traceability of the software versions used and their security status.
Coordinated Vulnerability Disclosure (CVD)
A formal process for reporting and eliminating security vulnerabilities promotes constructive cooperation between manufacturers, users and security researchers. Structured processes ensure that any vulnerabilities discovered are dealt with quickly and effectively.
Entire product life cycle
The IEC 81001-5-1:2021 standard “Health Software and Health IT Systems Safety, Effectiveness and Security – Part 5-1: Security – Activities in the Product Life Cycle” (currently not harmonized in the EU) requires comprehensive security management for medical device software throughout the entire product life cycle. This includes development, implementation, operation, maintenance and decommissioning and ensures a consistently high level of system integrity.
Conclusion
Post-market cybersecurity is a continuous process that accompanies the entire life cycle of a medical device. Through constant monitoring, sound risk management and the application of best security practices, manufacturers can ensure a high level of product and patient safety and strengthen the trust of healthcare providers and patients.
Last but not least, compliance with regulatory requirements and the continuous development of protective measures help to meet the high quality and safety requirements in medical technology in the long term.
