Medical devices security compliance

The healthcare industry is one of the most critical infrastructures in each country, due to its direct implication on humans. Medical devices providing direct interaction with the patients need to be equipped with state-of-the-art features in terms of performance. At the same time, the fast rise of cybersecurity threats and attack vectors is impacting medical devices more and more. From a cybersecurity point of view, most of these devices are high risk targets. Controlling and minimizing these risks becomes therefore a highly important process which manufacturers need to take into account.

Taking security into consideration during the whole development and manufacturing process of the medical devices could represent a strong means for avoiding any future security breaches, thus consolidating the brand’s image and reputation.

Moreover, due to the high risks associated in practice with their devices, medical device manufacturers need to comply with certain regulations in order to place their products on specific markets. In U.S.A, the Food and Drug Association (FDA) is regulating the market access. Manufacturers need to submit relevant evidence in support for their medical devices. FDA has certain requirements which need to be satisfied in terms of cybersecurity. At the same time, it promotes a set of recognized consensus standards, to guide the manufacturers towards complying with the requirements. Examples of these standards are IEC 62443 for medical device security functionalities, ISO 14971 for medical devices risk management procedures or ISO 62304 for medical devices software development.

In the E.U., the situation is similar, manufacturers having to comply with the current Medical Devices Directive (MDD) or the new Medical Devices Regulation (MDR), with particular standards being suggested to them as guidance. These standards are called harmonized standards, and some of them address cybersecurity issues, such as ISO 62304 (secure medical devices software development) or ISO 14971 (medical devices risk management). In addition, manufacturers need to demonstrate the state-of-the-art compliance of their products with respect to cybersecurity protection. IEC 62443 or UL 2900 standards can be successfully used to guide manufacturers towards this compliance state by highlighting relevant security functionalities and controls.

Therefore, obtaining compliance with relevant cybersecurity related standards is an efficient way of making the market approval process smoother, as well as generally securing your devices.

Secura can help you in this process by offering tailored services. No matter which type of medical devices you are manufacturing (from consumer level products such as toothbrushes up to highly complex X-Ray machines or laser surgical devices), we can offer you market specific cybersecurity assessments, enabling a smooth and efficient time to market. We select the relevant security requirements from various standards, assess the way in which your devices or your development process meets them and finally provide you with a compliance report, stating the conclusions of the assessment. This report can further be used as evidence during your market specific admission process, enabling a smoother clearance process.

For more details regarding the offered services and the assessment process, please check our dedicated medical devices factsheet.

@Secura 2018
Webdesign Studio HB / webdevelopment Medusa