Keeping Patient Information and Networks Safe
Today, the average hospital bed has 10 to 15 connected devices that provide diagnostic information to the patient’s care team, monitor the patient’s vital signs, and dispense therapeutic medications. With vital information at their fingertips, physicians, physician assistants and nurses can remotely monitor patients and provide more proactive care.
Due to the sensitivity of patient medical information and the increased risk of compromising a connected device or network, regulators in the U.S., Canada and the European Union have developed medical device cybersecurity standards to ensure that devices and networks are secure.
Medical device assessments are driven by both regulators and vendors. From a regulatory perspective, the U.S. Food and Drug Administration (FDA) lists cybersecurity requirements. In the EU, there are the MDR, the In Vitro Diagnostics Regulation (IVDR) and the IMDRF Principles and Practices for Cybersecurity of Medical Devices.
In the U.S., there is a requirement to implement a proactive view of cybersecurity for the design, development, production, deployment and maintenance of regulated devices. In Canada, the requirements are slightly different, focusing on bills of materials (BOMs) and software listings. In Europe, there is the Medical Device Regulation (MDR), which contains multiple sets of principles. There are commonalities in all approaches, but the best way to achieve compliance is to develop a consistent cybersecurity standard.
The U.S. FDA approval process focuses on risk management, including providing product design review, risk analysis, and verification and validation. If you sell your product in the EU, the MDR process is similar to the FDA process, but with a slightly different view of risk. In the EU, regulators want to reduce risk across all modes of operation in order to anticipate risk and ensure expected device performance and a high level of health protection.
There are a number of reference standards to help medical device manufacturers demonstrate compliance with regulatory requirements, including UL 2900-2-1, IEC 62443 and the NIST framework:
1.The ANSI/UL 2900 series of standards, of which ANSI/UL 2900-2-1 specifically addresses networking and connectable components for medical devices, healthcare and healthcare systems. Devices manufactured to this standard are best in class in terms of safety, and if your product meets this standard, it will be approved by the FDA and MDR and exceed the requirements of any regulatory agency in the marketplace.
2.IEC 62443 was originally developed for interconnected power grids, data systems, and industrial control systems, and the safety requirements for these systems are not very different from those for medical devices.The IEC is developing two new standards – 60601-4-5 and 80001-5-1 – specifically for medical devices, based on IEC 62443.
It is advisable to contact the regulator at the initial stage of product development to determine the most important elements to consider in the risk management process. However, while the wording of regulations may vary from market to market, testing against existing standards is very consistent. Intertek’s cybersecurity experts have the knowledge to help you navigate the different regulatory requirements and standards for connected medical devices.