New regulations
Recent changes in the regulations for the security of connected devices, wordwide.
Globally
Significant changes to the regulations are coming, in various countries. The following list is not exhaustive, but highlights the global trend.
US
The National Institute of Standards & Technology (NIST) has published three draft addenda to its manufacturer IoT guidance NISTIR 8259, as well as draft guidance for federal agencies, NIST SP 800-213, on integrating IoT devices into their networks. Notably, NIST published the addenda—8259B, 8259C, and 8259D—and 800-213 just days after the enactment of the Internet of Things Cybersecurity Improvement Act of 2020, in which Congress directed NIST to draft and finalize security guidelines for IoT devices procured by the federal government. While neither the 8259 addenda nor 800-213 fall within the Act’s purview, they are likely to inform NIST’s development of its IoT cybersecurity guidance under the Act. This is particularly true with regard to both 800-213 and addendum 8259D, the latter of which offers a “worked example” of implementing the core 8259 requirements within the specifications of the FISMA process and the NIST SP 800-53 security controls.
There are also new laws related to IoT security in California. At the beginning of Biden's legislature in 2021, the Executive Order on cyber security mentions SBOM (software bill of materials) and IoT security labels.
Related more specifically to healthcare, in 2018, the FDA released a draft guidance document, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, which provides cybersecurity recommendations for MDMs. The goals of the guidance are to promote an efficient premarket review process while improving device cybersecurity posture and reducing cyber security risks.
Canada
Health Canada released a draft guidance, Pre-market Requirements for Medical Device Cybersecurity, in June 2019. Health Canada recognizes the benefits of connected medical devices for patient care and the healthcare system, but that the increasing levels of interconnectedness leave devices vulnerable. Similar to the FDA guidance, the Health Canada document is not law. It is instead intended to provide, based on interpretations of existing regulation, current thinking on improving the cybersecurity of devices along with information to be submitted to demonstrate a device is secure from unauthorized access.
Australia
In July 2019, the Australia Therapeutic Goods Administration (TGA) released their version of a premarket guidance, Medical device cyber security guidance for industry. In addition to pre-market guidance, the TGA document also contains total product life cycle (TPLC) guidance, and post-market guidance. This guidance specifies three targeted audiences: medical device software developers, connected medical device manufacturers, and individuals or organizations responsible for the supply of devices in Australia. The purpose is to help MDMs understand how the TGA interprets regulations and how to comply. It should be noted this is a guide that will be updated and evolve over time. Alongside this guidance, TGA produced medical device cybersecurity guidance for users, a guidance for groups or individuals who represent users of medical devices including patients, clinicians, health and IT staff. This guidance highlights that having secure medical devices relies on users as well as manufacturers and assists users in managing cybersecurity risk.
France
Regarding the type of data processed: the General Data Protection Regulation (better known by the acronym GDPR) imposes a security obligation regarding personal data. Companies hosting health data must meet a security benchmark to receive certification as a Health Data Host.
Regarding information systems: since the Military Programming Law of 2014, health establishments and manufacturers of medical devices considered essential to the survival of the Nation have been qualified as Operators of Vital Importance (OIV). These OIVs must apply very strict security measures to protect their information system. This idea was taken up and extended at European level with the Network and Information Security (NIS) directive which applies to Essential Service Operators (OSE). Several health facilities that were not OIVs have become OSEs.
Regarding devices: the French Agency for the Safety of Health Products (ANSM) published the draft guidance, Cybersecurity of medical devices integrating software during their life cycle, in July 2019. Referencing Europe’s existing regulatory framework for introducing medical devices on the market, the document highlights that there are different interpretations of requirements by MDMs. Due to the increase in medical devices connected to a network, devices are not equipped to deal with the new threats that come with this connectivity. The aim of this guidance is to provide MDMs with recommendations for the early stages of product design to minimize the risk of attack and data compromise.
In 2021, the government announced a plan to help healthcare organisations, mostly related to the auditing of their systems.
Germany
The German Institute for Drugs and Medical Devices (BfArM) has issued a document entitled "Cyber Security Requirements for Network-Connected Medical Devices" in 2018.
The BSI has published an informative list of questions a vendor should be able to answer to.
Other countries
We do not get into the details of those guidances here, but the list may be useful nonetheless as it shows the regions most involved on the subject:
More resources on IoT regulations are available from https://github.com/fimbault/panorama (based on the work by cetome).
European focus
We have seen some national guidances from France and Germany but the EU is working more generally on those issues.
EU cybersecurity act
Not limited to healthcare, the EU Cybersecurity Act establishes an EU certification framework for ICT solutions (which will be managed by ENISA). The EU council has recently published recommandations regarding the cybersecurity of connected devices.
Medical Device Regulation (MDR)
The UE Medical Device Regulation is the regulation in force since May 26, 2017. It replaces the MDD which had been in place since the 1990s. The transition period between these two pieces of legislation will extend until May 27, 2025. This new regulation harmonizes the rules for placing on the market and putting into service of medical devices and their accessories on the Union market, thus enabling them to benefit from the principle of the free movement of goods. It sets high standards of quality and safety for medical devices by ensuring, among other things, that the data generated during clinical investigations are reliable and robust and that the safety of subjects participating in a clinical investigation is protected. It applies both on MDs (medical devices) and AIMs (active implantable medical devices).
The MDR innovates by integrating requirements relating to the IT security of devices incorporating software. These cyber requirements concern both the pre-marketing of the device and its post-marketing.
If a manufacturer wishes to market a new connected medical device, it needs to provide documentation of:
the technical characteristics of the product (network flows, software architecture, etc.)
a cyber risk analysis taking into account the impact of these risks and remedial measures concerning the security of the device
listing the minimum safety requirements for the operating environment of the defibrillator (the hospital information system)
technical audit reports (penetration test, code audit, fuzzing test, etc.).
If the manufacturer meets all the requirements of the pre-market compliance check, it may affix the "CE" symbol to his medical device. It can therefore be marketed in all countries of the European Union.
UDI / EUDAMED
The UDI is a unique means of identification of each device (inspired by the system adopted in the United States in 2014). It is in the form of a bar code specific to each device comprising: a static part (the “device” identifier specific to a manufacturer and to a device) and a dynamic part (the “production” identifier). This UDI is then stored in the EUDAMED database which allows users and regulators a quick access to information about the coded device. These two combined devices ensure the traceability of medical devices. Each manufacturer wishing to comply with the new MDR EU must develop the basic UDI for their device without delay and prepare technical documentation, the new EU declaration of conformity and the new registration data. He must then register the UDI in the EUDAMED database. Then introduce the full UDI on labeling, this includes production data.
Last updated