Navigating the Evolving Landscape of Cybersecurity for Medical Devices

Cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact. Cybersecurity incidents have rendered medical devices (MD) and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities. Increased connectivity has resulted in individual devices operating as single elements of larger medical device systems.

These systems can include healthcare facility networks, other devices, servers, among other interconnected components. Consequently, without adequate cybersecurity considerations across all aspects of these systems, a cybersecurity threat can compromise the safety and/or effectiveness
of a medical device by compromising the functionality of any asset in the system.

As a result, ensuring device safety and effectiveness includes adequate device cybersecurity, as well as its security as part of a larger system.

The Regulatory Landscape: FDA Guidance

This same year (March 2023), the FDA issued a guidance (without previously publishing the draft for comment) stating that manufacturers of MDs that could be affected by cybersecurity should:

Rephine Tick

Define a plan to monitor, identify and address (as appropriate to the risk) within a reasonable timeframe, vulnerabilities during post-marketing.

Rephine Tick

In addition, design and develop processes to ensure that the MD is cybersecure and provide patches or new versions to mitigate new risks.

Rephine Tick

FDA requires the provision of information on software components (open-source and off-the-shelf).

Moreover, in September 2023 the FDA finally issued the final guidance for Cybersecurity in Medical Devices (Quality System Considerations and Content of Premarket Submissions).

The guidance solidifies the definition of a cyber device to include medical device combination products with drug and biologic components:

Rephine Tick

Include software validated, installed, or authorised by the sponsor as a device (or in a device)

Rephine Tick

Have the ability to connect to the Internet

Rephine Tick

Contain technological characteristics validated, installed, or authorised by the sponsor that could be vulnerable to cybersecurity threats.

Comprehensive Approach: Cybersecurity for Medical Device Systems

The guidance emphasises the need for sponsors to include vulnerability and other risk management plans in their premarket submissions and ensure products are designed and developed with cybersecurity in mind, including a Software Bill of Materials (SBOM) and the ability to be patchable.

Rephine Tick

Sponsors should include minimum elements in their SBOM listed in the October 2021 National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency document.

Rephine Tick

Sponsors should also ensure their SBOMs are machine-readable. If a manufacturer is unable to provide the SBOM information to FDA, the manufacturer should provide a justification for why the information cannot be included in the premarket submission.

FDA perspective is that it’s not enough to make a product that has good cybersecurity but that sponsors must consider how that product can continue to be protected from vulnerabilities during its usable life a Total Product Lifecycle (TPLC).

Our Rephine Medical Device expert, Medical Device Senior Consultant & Medical Device Area Manager, Núria de la Fuente, provides her conclusion on the FDA guidance:

“Cybersecurity is something that is relevant and will have to be adapted and evolved over the entire lifecycle of the device.”
Nuria headshot .png
Núria de la Fuente
Medical Device Senior Consultant & Medical Device Area Manager

European Union's NIS2 Directive: A Global Standard

This year also entered into force the European Union’s NIS2 Directive, which, although not exclusively focused on MD, sets out a guide for working on cybersecurity. Medical Devices and IVD companies are sectors considered critical and, when the company has more than 50 employees or the turnover is more than €10 million, the NIS2 is mandatory. As such, the MD /IVD companies must:

Rephine Tick

Conduct a risk analysis of the potential impact of cybersecurity incidents

Rephine Tick

Implement technical measures according to the risks detected

Rephine Tick

Notify significant cybersecurity incidents

Rephine Tick

Detect and work on incidents as soon as possible

Rephine Tick

Send follow-up information (to the Member State single point of contact) on a monthly basis until the incident is closed.

Partnering with Rephine's
MD Team for Cybersecurity Assurance

Our MD team can support companies that design Software as a Medical Device (SaMD) and want to market SaMDs in the US by preparing the necessary cybersecurity documentation for FDA approval.

If your target is Europe, you can also count on our team of experts to work on the cybersecurity risks and define the tests to be carried out to ensure that there are no vulnerabilities that could put the product and/or the patient at risk. 

You can find more about our Medical Device services, and contact our experts by visiting our Medical Devices page.

crop unrecognizable worker with tablet