Cybersecurity in medical devices - Part 1 Regulations
We begin today a series of posts on cybersecurity in medical devices. Cybersecurity was not a subject before the advent of computerized medical devices. Now that every manufacturer wants its connected medical device, cybersecurity matters!
Let's start with the regulations.
Medical devices, e-health and personal data
The main characteristic of connected medical devices is their ability to communicate health data. Though some devices may only communicate data on their status, which are not personal data, connected devices communicate above all personal data. Such data can be used for diagnosis or for historical purposes.
Thus regulations applicable to connected devices include the regulations on medical devices but also on personal data, without forgetting regulations on data networks.
Regulations on cybersecurity
Following the short discussion above, regulations on cybersecurity cover medical devices, personal data and data networks. Let's see which regulations are applicable in Europe and in the USA.
In the USA, the context is simple (compared to Europe :-)). We two main regulations:
- The 21 CFR, mainly part 820 but also part 806 or part 803, on medical device lifecycle,
- HIPAA/HITECH rules on electronic personal health information (e-phi) management
The interpretation by the FDA on the implementation of cybersecurity for regulated medical devices can be found in the guidance on the content of premarket submission files about cybersecurity and the guidance on postmarket management of cybersecurity.
These guidances mainly recommend (require?) that:
- Medical device safety and data privacy shall be addressed during design and development,
- Post-market surveillance of medical devices shall include cybersecurity risks.
The HIPAA rules can be found here (have a look at the Combined Regulation Text). These rules are applicable to covered entities and business associates. Depending on the services provided with their medical devices, manufacturers or their subcontractors can be in the scope of business associates. E.g. if the device is used within a health plan. Manufacturers are indirectly impacted by the physical and technical safeguards of the HIPAA (see link to Combined Regulation Text above). These safeguards affect the design of medical devices with rules like:
- Unique user identification,
- Automatic logoff,
- Backup and restore,
- Export of a copy of health data of a person.
Additional useful information on HIPAA is present on the HIPAA COW website (funny name but serious website).
European Union - present
There are currently two regulations applicable in the European Union:
- the 93/42/EC directive on medical devices,
- the 95/46/EC directive on data protection.
The medical device directive is mute on cybersecurity. And there is no MEDDEV guidance on cybersecurity either.
The data protection directive contains requirements on confidentiality and security of data processing, but not as precise as those of HIPAA.
But these two directives are close to their end of life and will be replaced by new regulations.
European Union - close future
The new regulations, which will replace the current directives are:
- the Medical Device Regulation (MDR), it should be fully applicable in 2020,
- the 2016/679 General Data Protection Regulation (GDPR), it will be fully applicable in May 2018.
As seen before in this article, the new MDR raises the bar on cybersecurity for medical device software.
The GDPR is more stringent on personal data, with lots of requirements, and especially requirements for personal health data, like:
- the right of an individual to easily access to personal data, to rectify data, 'to be forgotten',
- the obligation to conduct a data protection impact assessment (PIA),
- the obligation to ensure data protection by design.
This new regulation adds a considerable burden to agents manipulating personal data. See this excellent article on this blog on how to set a plan to be compliant to this new regulation.
A third regulation impacts very indirectly the medical devices manufacturers: the Directive on security of network and information systems. This directive
provides legal measures to boost the overall level of cybersecurity in the EU.
Basically, member states shall identify vital IT networks and protect them against threats. Some healthcare networks can be considered vital and thus are in the scope of this directive. As a consequence, stringent cybersecurity measures are required on such networks. Since some connected medical devices can be found on these networks, they will be subject to the cybersecurity measures, that manufacturers will have to implement or follow.
Regulations on medical devices and health data are applicable to connected medical devices manipulating health data. Cybersecurity is a concept anterior to connected medical devices, but it is now included in the criteria of compliance to regulations pertaining to medical devices and personal health data.
These regulations bring additional requirements, which affect the design and the post-market surveillance of medical devices. We will see in this series of posts how to implement processes to bring evidence of compliance to cybersecurity requirements.
The next article will be on the stakeholders interested in cybersecurity.