Abstract. The purpose of this paper is to provide an overview of the current professional literature about medical device cybersecurity from a regulatory point of view and at the global level. This paper provides the most comprehensive overview of such publications to date. It may assist healthcare, medical device, regulatory affairs, quality management, and cybersecurity professionals, researchers, regulators, and other subject matter experts in identifying applicable cybersecurity regulations, standards, and industry best practices for medical devices.
Keywords. cybersecurity, FDA, guidance, medical devices, regulation, standard
1Introduction
Medical device companies are operating in a highly regulated industry and need to comply with applicable laws and regulations on data privacy protection and cybersecurity. In the past, medical devices were mostly designed and developed as non-networked devices. The main focus was on general safety and performance requirements, and less on security. Nowadays, medical devices often incorporate thirdparty hardware and software components and we observe an increase in use of wireless, Internet connected, networked, and interconnected medical devices. The expanded use of smartphones, tablets, wearable devices, and cloud services has fostered the development of Internet of Medical Things (IoMT) in the last few years. Due to the growing number of networked medical devices, which can be vulnerable to a wide variety of security threats, medical device manufacturers should address security risk management from initial device conception to disposal. Together, these trends have resulted in an increase in professional publications (i.e., national laws and regulations, standards, guidance documents, technical (information) reports, trend reports, white papers, industry best practices, frameworks, playbooks, information for consumers, etc.) to strengthen cybersecurity requirements for medical devices at the global level.
This paper aims to provide an overview of the current professional publications related to medical device cybersecurity across the globe. Related work is provided in section 2. Section 3 presents the results of conducted narrative literature review. The final section gives a brief summary and discussion of the findings, and identifies areas for further research.
2Related Work
In 2005, the Food and Drug Administration (FDA), a federal agency of the United States, issued a first guidance document about cybersecurity for networked medical devices containing off-the-shelf software. This guidance (FDA, 2005) recommends validating computer software changes to address cybersecurity vulnerabilities and developing a cybersecurity maintenance plan.
In June 2013, the FDA issued a draft guidance document that addresses management of cybersecurity in medical devices throughout the premarket phase. The final guidance was released by the FDA in October 2014. In this final guidance, the FDA (2014) defines cybersecurity as the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient. In October 2018, the FDA updated the premarket guidance. This draft guidance (FDA, 2018) also includes some postmarket recommendations.
In December 2016, the FDA published a second guidance that addresses management of cybersecurity in medical devices during the postmarket phase. According to this guidance (FDA, 2016), cybersecurity applies to the following types of medical devices: a) devices that contain software, firmware, or programmable logic, b) software that is a medical device, including mobile medical applications, c) interoperable devices, and d) marketed and distributed legacy devices. Over the last three years, many countries around the world published their own regulatory guidelines about cybersecurity of medical devices.
At the moment, there are many standards about information security management and standards covering different aspects of cybersecurity such as vulnerability disclosure, vulnerability handling processes, risk management for IT-networks incorporating medical devices, etc., that can be adopted by medical device manufacturers and healthcare organizations. There is a lack of an international consensus cybersecurity standard that is solely focused on the medical device industry. The International Electrotechnical Commission (IEC), the international standards and conformity assessment body for all fields of electrotechnology, is developing a new standard IEC/DIS 80001-1 (IEC/DIS 80001-1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software - Part 1: Application of risk management, 2020) to support medical device manufacturers with respect to security risk management for connected medical devices and connected health software.
While there are many scientific papers about current international standards and trends of medical device cybersecurity, to the best of the author's knowledge, they only focus on: a) one or more professional publications (Anonymous, 2019), (Baranchuk et al., 2018), (Brown et al., 2016), (Jagannathan & Sorini, 2015), (Jump, 2019), (Jump & Finnegan, 2017), (Mankovich & Fitzgerald, 2011), (Murthy, 2019), (Sametinger et al., 2015), (Schwartz et al., 2018), (Stern, 2017), (Stern et al., 2019), (Vargas, 2017), (Walker, 2018), (Wu & Eagles, 2016), b) major countries (Chen et al., 2018), (Fu & Blum, 2013), (Kim et al., 2020), c) a particular geographic area (Abraham et al., 2019), (Best, 2020), (Burns et al., 2016), (Coburn, 2016), (Martinez, 2018), (Owens, 2016), (Pasanisi, 2017), (Pesapane et al., 2018), (Skierka, 2018), (Webb & Dayal, 2017), d) particular types of medical devices (Carroll & Richardson, 2016), (Gladden, 2016), (Hrgarek, 2012), (Hrgarek Lechner, 2017), (Pirker & Hrgarek Lechner, 2019), (Yuan et al., 2018), e) a particular ability of medical devices (Hatcliff et al., 2019), (Hrgarek Lechner, 2018), or f) a particular activity of the cybersecurity process (Arbelaez et al., 2018), (Jiang et al., 2020), (Moshi et al., 2019), (Suárez & Scott, 2017). No paper has been found that provided a comprehensive overview of professional medical device cybersecurity publications at the global level.
3Narrative Literature Review
The purpose of the conducted narrative literature review was to identify relevant professional publications related to medical device cybersecurity across the globe. The scope of this review was limited to English and German professional publications that were published in the time period from August 1996 to August 2020. August 1996 was chosen because the Health Insurance Portability and Accountability Act of 1996, the U.S. federal law that requires the protection of sensitive patient health information, was published at this time. Literature search was performed using: a) e-mail notifications from FDA and normScan (an online monitoring and tracking tool for new and updated medical device standards), b) searches in IEC and ISO webstores, c) various keyword searches in Google web search engine, and d) content shared on the LinkedIn platform by the TÜV SÜD (a notified body in Germany), the British Standards Institution (the UK national standards body), and regulatory affairs professionals in the medical device industry. Some publications were identified in scientific papers referenced in the previous section.
As listed in Table 1, a total of 156 relevant professional publications addressing cybersecurity for medical devices were searched. This table provides the most comprehensive overview of global professional publications from various sources to date and indicates the complexity of the evolving medical device cybersecurity ecosystem in a highly regulated environment. Since cybersecurity in the medical device industry requires shared responsibility among stakeholders (e.g., medical device manufacturers, healthcare providers, patients, security researchers, etc.), a number of laws, regulations, standards, guidance documents, and other types of publications is currently needed to cover the entire device life cycle.
Maintaining compliance with other regulatory requirements in the medical device industry, such as a risk management process or a usability engineering process, is easier due to a relatively small number of regulations and standards. For example, ISO 14971 (ISO 14971: Medical devices - Application of risk management to medical devices, 2019) is an international, harmonized standard for a risk management process that has been specifically designed for the medical device industry. The standard has been recognized as a consensus standard by international regulators such as the FDA and the Australian Therapeutic Goods Administration (TGA).
Since 2015, there was a significant increase in the number of released professional cybersecurity publications listed in Table 1. As shown in Figure 1, a total of 117 professional cybersecurity publications were issued between 2015 and 2020 (80.7%), another 22 publications were published during 2008-2014 (15.2%), while only six publications were released during 1996-2007 (4.1%). Three publications were published as a draft version and eight publications are under development and have not been published yet.
4Discussion and Conclusions
This paper has shown that medical device manufacturers operating in global context must tackle a high number of professional cybersecurity publications and different publication types. Since the first FDA's guidance document outlining the agency's cybersecurity expectations from a premarket perspective was published in 2014, many international regulators introduced their own guidance documents.
Due to the increasing number of regulations and regulatory compliance requirements that are sometimes listed within the guidance documents, implementing cybersecurity is very challenging for medical device industry practitioners and other stakeholders. Medical device companies must identify applicable cybersecurity regulations in countries where they plan to market their products and find an effective solution how to comply with applicable cybersecurity regulations and to maintain compliance.
All publications listed in Table 1 were reviewed and classified into 31 different types according to their content. Table 2 lists publication types and shows the number of times they occur in Table 1.
This paper may assist different groups of professionals, researchers, regulators, and other subject matter experts in identifying applicable cybersecurity regulations, standards, and industry best practices for medical devices. Introducing an international standard that is recognised by most international regulators may help to address the challenges from a regulatory point of view.
The main weakness of this paper was that no systematic literature review could be performed due to the nature of professional cybersecurity publications. Only a relatively small number of such publications can be found in academic databases and search engines that are used for finding and accessing scientific papers.
Due to the scope of conducted narrative literature review, only English and German publications were included. Future work should seek to broaden this further. It would be interesting to develop a centralized database containing a catalogue of applicable professional publications related to medical device cybersecurity. Such database should be extensible with new entries and contain metadata and keywords for easier search. Further research might explore relevant professional publications related to data privacy protection within the medical sector.
Acknowledgments
The author would like to thank the anonymous reviewers for their valuable comments and suggestions that significantly improved this paper.
References
Abraham, C., Chatterjee, D., & Sims, R. R. (2019). Muddling through cybersecurity: Insights from the U.S. healthcare industry. Business Horizons, 62(4), 539-548.
Anonymous. (2019). The Roundup: A compilation of items about healthcare technology news, regulations, and AAMI initiatives. Biomedical Instrumentation & Technology, 53(6), 404-407.
Arbelaez, A., Edwards, S., Littlefield, K., Wang, S., & Zheng, K. (2018). Securing Wireless Infusion Pumps. Proceedings of the 2018 IEEE Cybersecurity Development (SecDev) (pp. 141141). Cambridge.
Baranchuk, A., Refaat, M. M., Patton, K. K., Chung, M. K., Krishnan, K., Kutyifa, V., Upadhyay, G., Fisher, J. D., & Lakkireddy, D. R. (2018). Cybersecurity for Cardiac Implantable Electronic Devices: What Should You Know? Journal of the American College of Cardiology, 71(11), 12841288.
Best, J. (2020). Could implanted medical devices be hacked? BMJ: British Medical Journal, 368:m102.
Brown, N. A., Carey, C. H., & Gallant, M. P. (2016). Cybersecurity of Postmarket Medical Devices Addressed by FDA in Draft Guidance. Intellectual Property & Technology Law Journal, 28(4), 9-11.
Burns, A. J., Johnson, M. E., & Honeyman, P. (2016) A Brief Chronology of Medical Device Security. Communications of the ACM, 59(10), 66-72.
Carroll N., & Richardson, I. (2016). Software-as-aMedical Device: demystifying Connected Health regulations. Journal of Systems and Information Technology, 18(2), 186-215.
Chen, Y. J., Chiou, C. M., Huang, Y. W., Tu, P. W., Lee, Y. C., & Chien, C. H. (2018). A Comparative Study of Medical Device Regulations: US, Europe, Canada, and Taiwan. Therapeutic Innovation & Regulatory Science, 52(1), 62-69.
Coburn, K. R. (2016). THE INTERNET OF MEDICAL THINGS. Scitech Lawyer, 12(3), 1820.
FDA. (2005). Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Offthe-Shelf (OTS) Software.
FDA. (2014). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff.
FDA. (2016). Postmarket Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff.
FDA. (2018). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Draft Guidance for Industry and Food and Drug Administration Staff.
Fu, K., & Blum, J. (2013). Controlling for Cybersecurity Risks of Medical Device Software. Communications of the ACM, 56(10), 21-23.
Gladden, M. E. (2016). Information Security Concerns as a Catalyst for the Development of Implantable Cognitive Neuroprostheses. Proceedings of the 9th Annual Conference of the EuroMed Academy of Business: Innovation, Entrepreneurship and Digital Ecosystems (EUROMED 2016) (pp. 891-904). Warsaw.
Hatcliff, J., Zhang, Y., & Goldman, J. M. (2019). Risk Management Objectives for Distributed Development of Interoperable Medical Products. Proceedings of the 2019 IEEE Symposium on Product Compliance Engineering (SPCE Austin) (pp. 1 -6). Austin.
Hrgarek Lechner, N. (2017). An Overview of Cybersecurity Regulations and Standards for Medical Device Software. Proceedings of the Central European Conference on Information and Intelligent Systems (CECIIS) (pp. 237-249). University of Zagreb, Faculty of Organization and Informatics Varaždin.
Hrgarek Lechner, N. (2018). Developing a Compliant Cybersecurity Process for Medical Devices. Proceedings of the Central European Conference on Information and Intelligent Systems (CECIIS) (pp. 197-204). University of Zagreb, Faculty of Organization and Informatics Varaždin.
Hrgarek, N. (2012). Certification and regulatory challenges in medical device software development. Proceedings of the 2012 4th International Workshop on Software Engineering in Healthcare (SEHC) (pp. 40-43). Zürich.
IEC/DIS 80001-1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software - Part 1: Application of risk management. (2020). Retrieved from https://www.iso.org/standard/72026.html
ISO 14971: Medical devices - Application of risk management to medical devices. (2019).
Jagannathan, S., & Sorini, A. (2015). A cybersecurity risk analysis methodology for medical devices. Proceedings of the 2015 IEEE Symposium on Product Compliance Engineering (ISPCE) (pp. 16). Chicago.
Jiang, N., Mück, J. E., & Yetisen, A. K. (2020). The Regulation of Wearable Medical Devices. Trends in Biotechnology, 38(2), 129-133.
Jump, M. (2019). AAMI TIR97: A Vital Resource in the Postmarket Management of Medical Device Security. Biomedical Instrumentation & Technology, 53(6), 462-464.
Jump, M., & Finnegan, A. (2017). Using Standards to Establish Foundational Security Requirements for Medical Devices. Biomedical Instrumentation & Technology, 51(s6), 33-37.
Kim, D., Choi, J., & Han, K. (2020). Medical Device Safety Management Using Cybersecurity Risk Analysis. IEEE Access, 8, 115370-115382.
Mankovich, N., & Fitzgerald, B. (2011). Managing Security Risks With 80001. Biomedical Instrumentation & Technology, 45(s2), 27-32.
Martinez, J. B. (2018). Medical Device Security in the IoT Age. Proceedings of the 2018 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON) (pp. 128-134). New York City.
Moshi, M. R., Parsons, J., Tooher, R., & Merlin, T. (2019). Evaluation of Mobile Health Applications: Is Regulatory Policy Up to the Challenge? International Journal of Technology Assessment in Health Care, 35(5), 351-360.
Murthy, V. (2019). Cybersecurity-Related Regulatory Considerations for Medical Devices. Biomedical Instrumentation & Technology, 53(4), 312-314.
Owens, B. (2016). Stronger rules needed for medical device cybersecurity. The Lancet, 387, 1364.
Pasanisi, J. (2017). China's new cyber law worries market. International Financial Law Review. Retrieved from https://search.proquest.com/docview/1962312690? accountid=202211
Pesapane, F., Volonté, C., Codari, M., & Sardanelli, F. (2018). Artificial intelligence as a medical device in radiology: ethical and regulatory issues in Europe and the United States. Insights into Imaging, 9, 745-753.
Pirker, A., & Hrgarek Lechner, N. (2019). Designing Secure Architecture of Health Software using Agile Practices. Proceedings of the Central European Conference on Information and Intelligent Systems (CECIIS) (pp. 269-280). University of Zagreb, Faculty of Organization and Informatics Varaždin.
Sametinger, J., Rozenblit, J., Lysecky, R., & Ott, P. (2015). Security Challenges for Medical Devices. Communications of the ACM, 58(4), 74-82.
Schwartz, S., Ross, A., Carmody, S., Chase, P., Coley, S. C., Connolly, J., & Zuk, M. (2018). The evolving state of medical device cybersecurity. Biomedical Instrumentation & Technology, 52(2), 103-111.
Skierka, I. M. (2018). The governance of safety and security risks in connected healthcare. Proceedings of the Living in the Internet of Things: Cybersecurity of the IoT - 2018 (pp. 112). London.
Stern, A. D., Gordon, W. J., Landman, A. B., & Kramer, D. B. (2019). Cybersecurity features of digital medical devices: An analysis of FDA product summaries. BMJ Open, 9(6), 1-7.
Stern, G. (2017). Getting with the Program to Beef Up Cybersecurity, Biomedical Instrumentation & Technology, 51(1), 70-75.
Suárez, R. A., & Scott, D. (2017). Doing What Is Right with Coordinated Vulnerability Disclosure. Biomedical Instrumentation & Technology, 51(s6), 42-45.
Vargas, W. (2017). Cybersecurity Standards Are Standing Up to the Bad Actors. Biomedical Instrumentation & Technology, 51(s6), 7-8.
Walker, A. (2018). Cybersecurity in safety-critical systems. Journal of Software: Evolution and Process, 30(5), e1956.
Webb, T., & Dayal, S. (2017). Building the wall: Addressing cybersecurity risks in medical devices in the U.S.A. and Australia. Computer Law & Security Review: The International Journal of Technology Law and Practice, 33(4), 559-563.
Wu, F., & Eagles, S. (2016). Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality. Biomedical Instrumentation & Technology, 50(1), 23-34.
Yuan, S., Fernando, A., & Klonoff, D. C. (2018). Standards for Medical Device Cybersecurity in 2018. Journal of Diabetes Science and Technology, 12(4), 743-746.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
© 2020. This work is published under http://archive.ceciis.foi.hr/app/index.php/ceciis/archive (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.
Abstract
The purpose of this paper is to provide an overview of the current professional literature about medical device cybersecurity from a regulatory point of view and at the global level. This paper provides the most comprehensive overview of such publications to date. It may assist healthcare, medical device, regulatory affairs, quality management, and cybersecurity professionals, researchers, regulators, and other subject matter experts in identifying applicable cybersecurity regulations, standards, and industry best practices for medical devices.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
Details
1 University of Zagreb Faculty of Organization and Informatics Pavlinska 2, 42000 Varaždin, Croatia