The FDA, EU, NMPA and other key regulators have clearly indicated that cybersecurity must be considered throughout the whole life cycle of the medical device. The primary means of verification and validation of the cybersecurity measures is testing, which includes vulnerability scans, fuzz testing and penetration testing. Below are some frequently asked questions regarding the cybersecurity of medical devices:
No, the lack of findings does not indicate that the device is secure. The device might be secure with respect of vulnerabilities that have been part of the security test at a specific point in time. Keep in mind that the security situation for software may change rapidly due to newly emerging security vulnerabilities, or due to new attack vectors.
No, there are no laws that requires it to be conducted. However, dedicated security guidance such as the FDA guidance on content of premarket submission for cybersecurity in medical devices and European MDCG 2019-16 guidance and standards such as IEC 81001-5-1 indicate that such a scan must be considered. This means that you should have good arguments in the event you decide to skip it. The same applies for penetration tests.
You must consider security related tests regarding to the change as well as regression tests which show that your change did not have a negative effect on the cybersecurity of your device. In many cases, a vulnerability scan or penetration test should be repeated; at least partly.
Yes, you can conduct these tests on your own but you need to have the appropriate competences within your organisation. Nonetheless, it helps to have a second pair of eyes on your devices.
The most important argument for a 3rd party assessment is the impartiality of the 3rd party provider. Depending on the provider you choose; you may also benefit from a provider that has a broader knowledge. In case of cybersecurity testing the medical device specific knowledge and expertise of the 3rd party-provider should be ensured, preferably by accreditation according to a medical device standard such as IEC 60601-4-5. Products having tests conducted by accredited laboratories would provide a higher level of assurance for the industry in addition to ensuring the harmonisation of test categories based on risks.
Trainings are provided to bring awareness and understanding of cybersecurity in medical devices. The objective of the training is to understand requirements defined in regulatory frameworks such as:
Furthermore, trainings can be provided to understand the implementation of Cybersecurity in medical devices according to international standards such as:
The concept evaluations aim to identify cybersecurity GAPs by assessing against international/harmonized standards, cybersecurity state-of-the art and regulatory requirements including:
Vulnerability Scans / Assessment and Static / dynamic code analysis
The objective of vulnerability scans is to identify and detect known weaknesses in computers, networks or applications (programs). The aim is to perform remediation activities once critical vulnerabilities are identified by the manufacturer. The benefit of this approach is to close Vulnerability Gaps and maintain strong security in medical devices.
The services include:
Penetration Tests and fuzz testing
The objective of a penetration test is to simulate a cyber attack to evaluate the security status of the medical device/software. The aim is to identify unknown weaknesses found during manual tests. Test report results can be used as an objective evidence for the effectiveness of cybersecurity in a medical device (similar to a 60601-1 report being used as an objective evidence for the safety of a medical device).The services include: