Guideline on Cybersecurity from ANSM French Competent Authority
The ANSM French Competent Authority published in July 2019 a draft guideline on cybersecurity for medical devices. The European medical device sector should greatly applaud this initiative. This is the first and only guideline on cybersecurity with regard to the European medical device regulations.
This draft guideline, named ANSM’S guideline - Cybersecurity of medical devices integrating software during their life cycle is available on ANSM's website. The page is in French but an English version of the guideline can be downloaded through a link at the bottom of the page.
A guideline for the European Medical Device Regulation
The introductory text on the ANSM page tell us that:
This is the first time in Europe that recommendations in this area have been developed and the ANSM has shared its work with the European Commission so that the regulations evolve to integrate it.
The objective of this guideline is definitively to meet the General Requirements of the MDR.
But within the French context
The main drawback of this guideline is to be French! Cybersecurity is still new in the world of medical devices, and most of the members of the committee, who wrote this guideline, are French experts in cybersecurity. Thus most of the references in the guideline come from existing guidances and methods published by French public organisations. This is not a blocking situation. The same happens with FDA guidances referencing only US documents.
If you are willing to read the ANSM guideline and if you've already read the FDA guidances on cybersecurity, just replace in your mind the French references by the US ones to get a better view of the French document:
- ANSSI by NIST,
- EBIOS by NIST Cybersecurity Framework,
- Other references like RGS or pdf files on ssi.gouv.fr website, by NIST SP-800 Special Publications found on NIST CSRC website.
Note: ANSSI and NIST are not the same. The equivalent of ANSSI is more the Cybersecurity and Infrastructure Security Agency (CISA) of the DHS. NIST missions are different, but it should work in our little exercise of correspondence.
On the bright side, this guideline brings lots of advantages:
- It is very didactic, about half of the document is made of explanations to let people from the medical device sector understand what cybersecurity is, how it is different form safety risk management, and why a cybersecurity risk management process shall be established with regard to the MDR,
- It draws the link with MDR requirements, but also with GDPR requirements, like the requirement to erase data when decommissioning a device,
- It draws a list of recommendations on what can be done to prevent cybersecurity risks throughout the software lifecycle. This list can be seen as an equivalent of the annex C of ISO 14971:2007, giving hints on what the risk management team should think about.
These recommendations are presented in sections that reflect the software lifecycle:
- Design and development,
- Putting into service,
- Post-market surveillance,
- End of life.
Many manufacturers adopt a presentation of safety risks in their risk assessment report, by order of appearance in the life cycle of the device. The presentation in this guideline will thus ease the understanding and assessment of cyber risks.
More, the recommendations found in the ANSM guideline are complementary with those found in guidances from other regulations. Most of the recommendations in the ANSM guideline aren't present or aren't explained the same way in the draft FDA guidance of October 2018 on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, or the Canadian Draft Guidance Document on Pre‐market Requirements for Medical Device Cybersecurity.
Steps to make it EU MDR guideline
A next step would be to promote this guideline at the European level. The French references would need to be replaced by European or international ones, namely:
- At first replacing EBIOS by something like ISO 27005,
- Other references by standards for security applied to health networks of the IEC 80001-1-x series,
- But also references to IEC 62304, IEC 82304 (maybe in the general provisions of software design activities), to enlarge the view to the interactions of the cyber security process with the software development process,
- And why not for medical device verification, references to ANSI UL 2900-x (or IEC equivalent, if SC62A in charge of medical device standards, and TC65 in charge of IEC 62443-x series agree...).
This guideline is worth reading!
Either you aren't familiar with cybersecurity, and the first half of the document will give you a good understanding of the situation. Or you are a bit familiar with cybersecurity, and the document will give you a good list of recommendations to apply throughout the device life cycle.