Medical Device Cyber Security Considerations

Digital data exchanges between Medical Devices and portable media containing patient health-related information present a significant opportunity for clinicians to provide speedier and more appropriate healthcare.

More recently, an effective Cyber Security approach, to ensure Medical Device functionality and in-turn patient safety, has become more paramount, due to the increased use of the internet, cloud services and network-connected Medical Devices, for Medical Device manufacturers and healthcare providers alike.

Cyber Security threats to all electronic installations have become more frequent. In May 2020 easyJet announced that a "highly sophisticated cyber-attack" had affected approximately nine million customers. Email addresses and travel details had been stolen and 2,208 customers had also had their credit card details "accessed". [Source BBC Website.]

Cyber Security threats have become more frequent and, in the case of the healthcare setting, potentially more severe due to the risk of clinical patient impact. Cyber Security incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the UK and globally.

In May 2017, WannaCry malware, which spread to more than 150 countries in a worldwide ransomware outbreak, was the biggest cyber-attack to have hit the NHS to date. The malware encrypted data on infected computers and demanded a ransom roughly equivalent to £230 ($300). The consequences of the attack were exacerbated by the fact that an assessment of 88 out of 236 trusts undertaken by NHS Digital before the attack found that none passed the required cyber-security standards.[Source BBC Website.]

More and more Medical Devices are utilising-software with varying degrees of potential patient impact. In the healthcare setting, cyber attacks can delay diagnoses and/or treatment and may lead to significant patient harm.

During the manufacturing process of the software-utilising Medical Device, a suitable approach to Cyber Security and software vulnerabilities needs to be established by the manufacturer.

In order to demonstrate a reasonable and trustworthy assurance of safety and effectiveness of new software-utilising Medical Devices, against cyber incidents, Regulatory Bodies require documented evidence of a suitable level of software security. Suitable documented evidence that proves a medical device demonstrates suitable and effective Cyber Security measures is part of the pre-market review.

In October 2018 the FDA released draft Cyber Security Guidance,  'Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’. The functionality statement includes Medical Device considerations such as:

• Management Of Private Data
• Security Capabilities
• Audit Controls
• Authorisations
• Security Features
• Upgrades

Zener Engineering Services Ltd provide expertise and practical assistance to help Medical Device manufacturers design their devices in such a way as to help protect against cyber incidents and subsequent potential patient harm.

ZES can advise and help implement suitable protection mechanisms to prevent all unauthorized use, whilst ensuring the security and integrity of the code, data, and the Medical Device's functionality.

As a part of premarket functionality statement submission, manufacturers should submit documentation demonstrating how Cyber Security design expectations are met by the Medical Device. ZES has helped Medical Device manufacturers to bring medical devices to market, with suitable Cyber Security approaches documented and validated.

If you require a Medical Device Cyber Security Functionality Statement template, ZES have a proven template for sale.

If you have concerns about Medical Device Cyber Security, 

contact ZES, where our experts are happy to help.