This guidance is for manufacturers and sponsors of medical devices that include software or electronic components.
The guidance is intended for:
Alongside this guidance, the TGA has also produced medical device cyber security guidance for users.
Connectivity and digitisation of medical device technologies may help improve device functionality and benefit. However, the connection of medical devices to networks or the internet exposes them to increased cyber threats that can potentially lead to increased risk of harm to patients. These might include:
Additionally, there are fundamental security interdependencies between medical devices andthe networks they connect to. Cyber security for medical devices must be considered as part of a layered, holistic security ecosystem. The cyber security landscape is constantly evolving.
Chapter 4 of the Therapeutic Goods Act 1989 (the Act) provides for the safety and satisfactory performance of medical devices, by setting out particular requirements for medical devices, establishing processes aimed at ensuring those requirements are met, and providing for enforcement of these requirements. The requirements for medical devices includes fifteen 'Essential Principles', set out in Schedule 1 of the Therapeutic Goods (Medical Devices) Regulations 2002 (the MD Regulations), which relate to the safety and performance characteristics of medical devices. Assurance that relevant medical devices are appropriately cyber-secure is required for compliance with a number of the Essential Principles.
This guidance has been produced in order to support Australia's medical device cyber security capability, embedding improved cyber security practices across the medical device sector. This guidance on cyber security for medical devices is in line with existing regulatory requirements and will assist in supporting the implementation of risk-based regulatory approval pathways that are guided by and support the Australian Government's cyber security strategy.
The purpose of this guidance is to help manufacturers and sponsors understand how the TGA interprets regulations, and thus indicate how to comply. This is a guide only, and manufacturers and sponsors are encouraged to familiarise themselves with the legislative and regulatory requirements in Australia. If necessary, seek professional advice as it is the responsibility of each manufacturer or sponsor to understand and comply with these requirements.
This document will evolve over time and updates and clarifications will be included as required. Feedback on the guidance is always welcome.
Medical devices cannot generally be supplied in Australia unless they are included on the Australian Register of Therapeutic Goods (ARTG). Inclusion on the ARTG requires considerations that span the life of a medical device, including:
Adopting a total product life cycle (TPLC) approach to risk and quality management is required.
Assessment and management of cyber security risks that could compromise the health and safety of a patient, user or any other person, as with other risks for medical devices, is the responsibility of the manufacturer.
The information provided in this section details the general responsibilities and requirements (for both pre and post market consideration) for medical device manufacturers and sponsors to ensure that devices meet regulatory requirements associated with cyber security, specifically risk management frameworks, including:
Risk management is expected to be an ongoing activity, which is considered, controlled and documented across all phases in the life of a medical device, from the initial conception to development and testing, market authorisation, post-market use, and through to end-of-life and obsolescence. Meeting these expectations is most readily achieved by adopting a total product life cycle (TPLC) approach to risk and quality management. One standard that may be consulted to help with this is IEC 62304 (detailed in Relevant Standards).
As with other risks, if cyber security risk is not effectively minimised or managed throughout the life of the device, it can lead to issues including: a medical device failing to deliver its therapeutic benefit, a breach in the confidentiality, integrity and availability of medical device data, or malicious unauthorised access to the medical device and the network it operates on. Underpinning a TPLC approach is the ongoing application and updating of quality management systems including:
As clinical use of a medical device is sometimes considerably longer than the expected lifespan of the technology that allows its operation (e.g. software and connectivity hardware), manufacturers and sponsors need to be aware of this challenge and work with users to effectively minimise risk.
For a medical device to be included on the ARTG, the manufacturer must demonstrate compliance with the Essential Principles. The Essential Principles require that a manufacturer minimise the risks associated with the design, long-term safety and use of the device; this implicitly includes minimisation of cyber security risk.
Six general Essential Principles are relevant to all medical devices, and a further nine Essential Principles about design and construction apply to medical devices on a case-by-case basis, depending on the technology used within the device (refer to Therapeutic Goods (Medical Devices) Regulations 2002 - Schedule 1 for more information).
The Essential Principles are not a prescriptive list of requirements for manufacturers to comply with and instead provide high level principles for flexibility according to the characteristics of the device. The legislation does not mandate the means by which a manufacturer must prove that they have met the Essential Principles. It is a manufacturer's responsibility to determine which essential principles are relevant and to demonstrate compliance with these.
A medical device must comply with the Essential Principles which set out the requirements relating to safety and performance. The TGA requires that the Essential Principles are met by applying accepted best-practice regarding quality management systems and risk management frameworks, which is typically via application of state of the art standards (See also Relevant Standards). Supplying medical devices that do not comply with the Essential Principles may have compliance and enforcement consequences; it may be an offence or may contravene a civil penalty provision of the Act[1].
The obligation to have information that demonstrates compliance with the Essential Principles lies with the manufacturer of the device. However, the sponsor must be able to provide information to the TGA to demonstrate such compliance. This applies to all medical devices regardless of risk class.
Throughout the medical device life cycle, manufacturers need to ensure continuing compliance with the Essential Principles. Risk management for medical device cyber security requires assessment and corresponding action over the life-cycle of the device and with consideration of the multiple environmental factors that may be applicable. Some considerations include that:
As a cyber security risk can be a safety concern, consideration and minimisation of such risks are imperative to compliance with many of the Essential Principles.
In particular, Essential Principle 1(b) requires, among other things, that a medical device is to be designed and produced in a way that ensures that any risks associated with the use of the device are acceptable risks when weighed against the intended benefit to the patient, and compatible with a high level of protection of health and safety.
Further, Essential Principle 2(2) requires, among other things, that in selecting appropriate solutions for the design and construction of a medical device so as to minimise any risks associated with the use of the device, the manufacturer must:
Cyber security considerations that a manufacturer may need to address to comply with this Essential Principle will depend on the type of device, but may include:
Additional examples of cyber security considerations for manufacturers and sponsors as they relate to a number of the Essential Principles are highlighted in Table 1. Where appropriate, these considerations require the manufacturer to act to reduce or manage associated risk and these actions should be documented in the manufacturer's quality management system and/or risk management system.
Essential Principle | Cyber security considerations |
---|---|
1. Use of medical devices not to compromise health and safety |
|
2. Design and construction of medical devices to conform to safety principles |
|
3. Medical devices to be suitable for intended purpose |
|
4. Long-term safety |
|
5. Medical devices not to be adversely affected by transport or storage |
|
6. Benefit of medical devices to outweigh any undesirable effects |
|
9. Construction and environmental properties |
|
10. Medical devices with a measuring function |
|
12. Medical devices connected to or equipped with an energy source |
|
13. Information to be provided with medical devices |
|
The application of standards is one way to demonstrate that medical devices are compliant with the Essential Principles, although their use is not mandated by the TGA. Medical devices that have cyber security risk/s are highly variable in their components and operate in a variety of environments, resulting in many relevant standards. The matrix below (Table 2) presents a summary of standards recognised as being suitable to meet regulatory requirements for cyber security of medical devices, alongside the relevant Essential Principle that may be demonstrated. Alongside relevant standards, other risk management strategies can be adopted if they are generally acknowledge state of the art.
As technology evolves and new standards and guidelines are developed, manufacturers and sponsors will need to be aware of the changing state of the art relevant to their devices. Manufacturers and sponsors are encouraged to review international guidance and publications concerning medical device cyber security, and review established and emerging practices from the broader cyber security sector, many of which have been applied in complex industry environments where risk reduction is a primary focus.
Standard* | Scope | EP1 | EP2 | EP3 | EP4 | EP5 | EP6 | EP9 | EP10 | EP12 | EP13 |
---|---|---|---|---|---|---|---|---|---|---|---|
ISO 14971 Medical devices—Application of risk management to medical devices |
A process for a manufacturer to identify the hazards associated with medical devices, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls. |
|
|
|
|
- |
|
|
- |
|
- |
ISO 13485 Medical device—Quality management systems—Requirements for regulatory purposes |
Specifies requirements for QMS where an organisation needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. |
|
|
|
|
|
- |
- |
|
- |
- |
IEC 62304 Medical device software—Software life cycle processes |
Defines the life cycle requirements for medical device software: the set of processes, activities, and tasks including development, maintenance, configuration management and problem resolution. |
- |
|
- |
|
|
|
|
- |
- |
|
IEC 60601 (series) Medical electrical equipment—General requirements for basic safety and essential performance |
Widely accepted benchmark for medical electrical equipment. The standards covers safety and performance for electrical medical equipment and helps to ensure that no single electrical, mechanical or functional failure shall pose an unacceptable risk to patients and operators. |
- |
|
- |
- |
|
- |
|
|
|
- |
IEC 62366-1 Medical devices—Part 1: Application of usability engineering to medical devices |
Specifies a process for a manufacturer to analyse, specify, develop and evaluate the usability of a medical device as it related to safety |
|
|
|
|
- |
- |
|
- |
|
|
IEC TR 62366-2 Medical devices—Part 2: Guidance on the application of usability engineering to medical devices |
Contains background information and provides guidance that address specific areas that experience suggests can be helpful for those implementing a usability engineering (human factors engineering) process |
|
|
|
|
- |
|
|
- |
|
- |
UL 2900-1 Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements |
Applies to network-connectable products that shall be evaluated and tested for vulnerabilities, software weaknesses and malware: (i) developer risk management process requirements; (ii) methods to test vulnerabilities, software weaknesses and malware; and (iii) security risk control requirements. |
|
|
|
|
- |
- |
|
- |
|
- |
UL 2900-2-1 Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems |
Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems. It is a security evaluation standard that applies to medical devices, accessories to medical devices and medical device data systems. |
|
|
|
|
- |
- |
|
- |
|
- |
IEC 80001 (series) Application of risk management for IT-networks incorporating medical devices |
80001 series of standards define roles, responsibilities and activities for risk management of IT-networks incorporating medical devices. Focus is on safety, effectiveness, data security and system security. |
|
|
|
- |
- |
- |
|
- |
- |
|
AAMI/UL 2800 Safety and security requirements of interoperable medical systems |
Defines safety specifications that a medical devices interface should be labelled in order to operate in safe conditions. Focuses on risks associated with interoperability within the integrated clinical environment. |
- |
|
|
- |
- |
- |
|
- |
|
|
AAMI TIR 57 Principles for medical device security—risk management |
Methods to perform information security risk management for medical device within the context of ISO 14971. Incorporates the view of risk management from IEC 80001-1. |
|
|
|
|
- |
|
|
- |
|
- |
IEC 80002(series) Medical device software |
Provides guidance on the application of ISO 14971 to medical device software, methods for validation of software for medical devices including any software used in device design, testing, component acceptance, manufacturing, labelling, packaging, distribution and complaint handling or to automate any other aspect of a medical device quality system. |
|
|
|
|
- |
|
|
- |
|
|
ISO/IEC 15408 (series) Evaluation criteria for IT security |
Common criteria. Establishes general concepts and principles of IT security evaluation, models for evaluation of security properties of IT products. |
|
|
|
|
- |
- |
|
- |
|
- |
IEC 82304-1 Health software—Part 1: general requirements for product safety |
Covers entire lifecycle including design, development, validation, installation, maintenance, and disposal of health software products. Covers safety and security of health software products designed to operate on general computing platforms and intended to be placed on the market without dedicated hardware. |
|
|
|
|
|
|
|
|
|
|
ISO/IEC 29147 Information technology — Security techniques — Vulnerability disclosure |
Details the methods a vendor should use for the disclosure of potential vulnerabilities in products and online services. |
|
- |
- |
|
- |
- |
|
- |
- |
|
ISO/IEC 30111 Information technology—security techniques—vulnerability handling process |
Explains how to process and resolve potential vulnerability information in a product or online service. |
|
|
|
|
|
|
|
- |
- |
|
ISO 27799 Health informatics—Information security management in health using ISO/IEC 27002 |
Explains organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation's information security risk environment(s). |
- |
- |
- |
|
|
- |
|
- |
- |
|
ISO 14708-1 Implants for surgery -- Active implantable medical devices -- Part 1: General requirements for safety, marking and for information to be provided by the manufacturer |
Specified the general requirements for active implantable medical devices and safety requirements including those for electrical, mechanical, thermal, and biocompatibility hazards. The standard is also applicable to some non-implantable parts and accessories |
|
|
|
- |
- |
- |
|
- |
|
|
IEC 61010-2-101 Safety requirements for electrical equipment for measurement, control, and laboratory use—Part 2-101: Particular requirements for in vitro diagnostic (IVD) medical equipment |
Applies to equipment intended for in vitro diagnostic (IVD) medical purposes, including self-test IVD medical purposes. |
|
|
- |
- |
- |
- |
|
|
|
- |
*Use the current version of each standard as appropriate.
To ensure that a medical device included in the ARTG continues to meet the requirements of the Essential Principles, a manufacturer or sponsor must demonstrate how they will gather information regarding emerging risks, including cyber security vulnerabilities that may impact the safe operation of their medical device and how these will be addressed.
In order to monitor for vulnerabilities that will affect a given device, the manufacturer should maintain a Software Bill of Materials (SBOM) to better assess risk should a vulnerability be discovered.
Manufacturers should share information with the TGA, (see Post-market guidance), and the wider industry regarding cyber security vulnerabilities that are discovered and threats that emerge.
In a case where cyber security vulnerabilities, threats and risks pose an immediate and significant threat to the health and safety of users, or will result in deficiencies or potential deficiencies to the safety, quality, performance or presentation of the device, this information must be shared with the TGA and a corrective and preventative action taken.
[1] | See Division 1 of Part 4-11 of Chapter 4 of the Therapeutic Goods Act 1989. |
---|
Sponsors intending to include a medical device on the ARTG for supply in Australia need to meet their legal obligations under the Act and MD Regulations. In demonstrating compliance with the Essential Principles, the Sponsor needs to demonstrate that cyber security risks have been addressed.
The TGA has a risk-based approach to the regulation of medical devices. The level of scrutiny by the TGA of a device before it is placed on the ARTG and supplied in Australia depends on the risk posed by the device. The lowest risk medical devices, Class 1 devices, are not assessed by the TGA prior to inclusion on the ARTG. For all classes of medical devices, evidence is required to be made available when requested by the TGA to demonstrate that medical device risk, including cyber security risk is being managed by appropriate quality management systems and risk management frameworks. The regulations specify that some applications are subject to mandatory application audits, with other types of applications subject to non-mandatory application audits.
All medical devices that include software are susceptible to cyber security risks. Manufacturers of medical devices must demonstrates how cyber security risk has been minimised during the design, development, manufacturing, and supply of a medical device, and how post-market requirements will be satisfied. These activities are critical to reduce the likelihood of cyber-security vulnerability being exploited leading to unacceptable risk to a patient, and for the management of emerging and ongoing cyber security risk and they should be documented in a manufacturer's quality management system.
Alongside the TGA's regulatory requirements for device safety, performance and quality, manufacturers are reminded that some devices may also have other regulatory requirements that need to be met, for example, the Office of the Australian Information Commissioner's Notifiable Data Breach Scheme under the Privacy Act 1988.
To meet the requirements of the relevant Essential Principles, a manufacturer is required to eliminate identified cyber security risk, or reduce the risk to an acceptable level. The potential for new cyber security risks that will emerge over the usable life of the device must also be considered and planned for, with upgrade pathways proactively developed where appropriate to address these issues once the device is on the market. Manufacturers should also proactively consider how to reduce risks associated with device obsolescence.
To reduce cyber security risk throughout the design and development phases, there are two approaches that assist in understanding cyber security risk as early as possible. Consideration of these approaches also assists with compliance with the Essential Principles. They include:
The Essential Principles require that design solutions adopted by medical device manufacturers will have 'regard to the generally acknowledged state of the art'[3]. In many instances, this expectation is achieved by the application of standards, some of which are outlined in Relevant Standards. The standards outlined in Table 3 are generally expected as a baseline during the design and development of a medical device; however, depending on the device, compliance with the Essential Principles may necessitate implementation of additional standards (information in Relevant Standards).
Manufacturers should be mindful that application of standards alone does not guarantee compliance to the Essential Principles. Additionally, application of standards does not guarantee adequate cyber security given the rapidly changing pace of cyber-attacks against the typical timeframes for standards development and implementation.
Standard* | Scope |
---|---|
ISO 14971 |
Medical devices - Application of risk management to medical devices |
ISO 13485 |
Medical devices - Quality management systems—Requirements for regulatory purposes |
IEC 62304 |
Medical device software - Software life cycle processes |
IEC 60601 (series) |
Medical electrical equipment - General requirements for basic safety and essential performance |
* Use the current version of each standard as appropriate.
Risks that must be managed are detailed in the Essential Principles. Broadly, these include risks associated with the intended use of the device, long term safety, transport and storage, reasonably foreseeable environmental conditions, and unavailability of maintenance and calibration. The development of risk management strategies - the continuous approach to identifying, estimating and reducing risk - is required in order for a medical device to comply with the Essential Principles; cyber security risk management can be readily included in these strategies. A separate cyber security risk assessment in addition to the product risk assessment is an acceptable approach.
Two potential strategies to manage risk are detailed below, including the process outlined in ISO 14971 and the USA's National Institute of Standards and Technology's (NIST) cyber security framework. While ISO 14971 is the most commonly applied risk management strategy, others can be used as long as they ensure a manufacturer is adequately assessing, controlling and monitoring risks.
The ISO 14971 standard specifies a process through which the manufacturer of a medical device can identify hazards associated with a medical device, estimate and evaluate the risks associated with these hazards, control these risks, and monitor the effectiveness of that control.
The following qualitative levels of severity of patient harm, based on descriptions in ISO 14971, could be used in a cyber security risk assessment:
The quantity of patients affected by the risk may warrant an increase in the severity of harm, for example it may be more appropriate to describe a critical level of harm to many patients as catastrophic.
The following summary is provided as an example of a risk management process under ISO 14971[4]:
Development of a risk management strategy in line with the USA's National Institute of Standards and Technology's (NIST) cyber security framework is an approach used as a way to address cyber security risks. Originally developed for critical infrastructure, the framework is also beneficial for manufacturers of medical devices and the broader healthcare ecosystem. The framework describes a series of concurrent and continuous cyber security functions that underpin a cyber security risk management strategy for both pre- and post-market phases[5]:
Implementing a cyber security risk management strategy that is based on this framework may assist in meeting the requirement for a medical device to obtain and maintain regulatory compliance in Australia.
Medical device manufacturers need to consider the cyber security practices of their manufacturing and supply chain, ensuring that relevant components used within or for the construction of the device are appropriately cyber secure, and will meet the requirements of the Essential Principles, in particular:
Contractual negotiations and agreements should clearly outline cyber security expectations from the medical device manufacturer or sponsor responsible for the device once it is supplied in Australia. Manufacturers should investigate and ask questions to understand the cyber security practices and response plans of their suppliers and any platforms that their products will operate on or be distributed through (this includes mobile devices, web services and cloud services). On-going monitoring of practices should also be implemented and manufacturers should act in a timely manner should they discover a cyber security (or other) issue from a component within their supply chain.
Agreements should include expectations about cyber security practices of third parties to ensure the confidentiality, integrity and availability of applicable systems. Where appropriate, thresholds and timelines for supply chain reporting of cyber security incidents should be agreedEssential Principle 9 requires, among other things, that a medical device manufacturer must ensure that a medical device is designed and produced in a way that ensures that, as far as practicable, the risks associated with reasonably foreseeable environmental conditions are removed or minimised[6]. To meet this requirement and those of Essential Principle 13 (Information to be provided with medical device), appropriate information on cyber security must be provided to users of medical devices. This should include plain-language information for users with little or no cyber education, and technical language information for those with more advanced understanding. Considerations for cyber security specific information that may need to be provided in line with Essential Principle 13 can be found in Table 1.
Effective communication is required for consumers to understand risk, and give informed consent to treatment. This can be a challenge when both the clinician and the consumer may lack specific expertise on medical device cyber security, compounded by the rapidly changing pace of cyber security. Because of this potential mutual lack of cyber expertise, the requirements for manufacturers to provide clear, high quality and usable information to clinicians and consumers about cyber security risks and how to mitigate them are vitally important.
Clinicians need to be armed with the information to have a meaningful discussion with the patient about the risks and benefits of a particular device they are prescribing, including cyber security risk. This information needs to be in a language that is relevant to them, and their patients. In the case of high risk devices, clinicians must also have access to information to understand how and when to apply an update to a device.
Provision of information is also important for consumer focused medical devices, where the device may be used in a home environment (with limited cyber security protection) or a public environment which by nature is highly accessible.
As healthcare service providers increasingly strive to create a cyber secure environment, medical device manufacturers and sponsors supplying to these service providers will be asked for more specific information on cyber security risk mitigation measures during procurement activities. Collaboration between these organisations is essential to creating a more cyber secure healthcare environment. The USA's National Electrical Manufacturers Association (NEMA) provides an example form that manufacturers might consider when providing information to healthcare services providers (see Manufacturer Disclosure Statement for Medical Device Security). Further, a list of potential questions suggested for these procurement teams are listed in the TGA's medical device cyber security guidance for users of medical devices. These include:
There are a number of technical cyber security considerations that a manufacturer should address during the pre-market development of a medical device to help ensure that cyber security risks to patient safety are designed out, removed, eliminated, reduced or otherwise managed. A number of these considerations are detailed here; however, manufacturers should be aware that technical considerations will vary depending on the device in question, the intended use, and the environment of use.
*Large file warning: Attempting to open large files over the Internet within the browser window may cause problems. It is strongly recommended you download this document to your own computer and open it from there.
[2] | Software Assurance Forum for Excellence in Code (SAFECode), Fundamental Practices for Secure Software Development; Essential Elements of a Secure Development Lifecycle Program, Third Edition, March 2018, [Online] Available from: https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf (pdf,762kb) - Accessed: 10/03/19 |
---|---|
[3] | Therapeutic Goods (Medical Devices) Regulations 2002, Schedule 1, clause 2(1) - Essential Principle 2(1) |
[4] | Speer, J. (n.d.). The definitive guide to ISO 14971 risk management for medical devices, [Online] Available from: https://www.greenlight.guru/hubfs/Sales_Material/gg_guide_to_risk_management.pdf (pdf,339kb). Accessed: 9/11/2018 |
[5] | NIST (2018). Framework for Improving Critical Infrastructure Cybersecurity, [Online] Available from: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (pdf,1.01Mb) . Accessed: 28/09/2018 |
[6] | Essential Principle 9.2(b) |
[7] | Storm, B., Battaglia, J., Kemmerer, M., et al (2017). Finding Cyber Threats with ATT&CK™-Based Analytics, MITRE Corporation, [Online] Available from: https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf (pdf,710kb) Accessed: 13/03/2019 |
The TGA will always assess compliance with the Essential Principles against the current risk environment, regardless of which risks existed when the device was included in the ARTG. Evidence of compliance with the Essential Principles, and other legislation, must be supplied to the TGA if requested.
The inclusion of a medical device on the ARTG is subject to certain statutory conditions which include, for example, an obligation to maintain sufficient information to substantiate compliance with the Essential Principles or have procedures in place with the manufacturer to ensure such information can be obtained[8]. Breaching the conditions of the inclusion of a medical device may lead to suspension or cancellation of the entry for that device from the ARTG[9], may be an offence[10], and may contravene a civil penalty provision[11].
Consistent with these legislative requirements and in line with a total product life cycle (TPLC) strategy, once a medical device has been included on the ARTG, it must continue to meet the requirements of the Essential Principles to remain on the ARTG. Risk management and quality management systems must be updated appropriately over the life cycle of a device to maintain inclusion on the ARTG. It is critical that the change management process, e.g. as outlined in IEC 62304 standard, is documented to clearly outline how risk and quality management systems have been modified as the risk profile of the medical device evolves.
Therapeutic Goods Act 1989 - Chapter 4, Part 4-5, Division 2, section 41FN(3)
41FN Conditions applying automatically
(3) The inclusion of a kind of medical device in the Register is subject to conditions that:
Cyber security risk must be considered as part of the post-market risk management process (e.g. ISO 14971, NIST cyber security framework) and is a re-occurring activity. As with other risks, the changing nature of cyber security risks means that it cannot be mitigated through pre-market controls alone, and requires ongoing management. Cyber-security risk monitoring and management needs to be an integral aspect of the post-market monitoring activities conducted by a manufacturer and sponsor(s).
Cyber security is an ongoing activity.
As with other risks, it is important for medical device manufacturers and sponsors to develop an understanding of how to assess cyber security risk. To do this effectively it is important to build a robust understanding of the relationship between cyber security vulnerabilities, exploits, and threats. This will assist a manufacturer or sponsor in understanding which course of action is required in response to the changed medical device cyber security risk profile, i.e. a device recall, safety alert, routine update or an adverse event report to the TGA. Figure 1 details the high-level relationship between vulnerabilities, exploits, threats and risk, and the people who have adversary capabilities, commonly known as white hat and black hat.
Alongside white hat hackers and black hat adversaries, users of medical devices can unwittingly introduce cyber security risk themselves by attempting to make unauthorised modifications to enhance the device for their perceived needs. In some cases, these modifications may be unintentional.
Further, insider threats present a challenge to both manufacturers and users of medical devices. Employees, contractors or partners wishing to cause harm represent a significant source of threat. Having authorised access allows insiders to potentially compromise confidentiality, integrity or availability of medical devices and their networks and data. Malicious or accidental insider access to a device or deletion, alteration, falsification, or unauthorised sharing of patient data is a real challenge that manufacturers need to be aware of, identify and address.
Vulnerabilities are weaknesses in computer software code, hardware designs, information systems, security procedures, internal controls, or human behaviour that could be exploited by a threat.
Vulnerabilities are typically made known to the public once a verified patch exists; this can be via active cyber security monitoring (Cyber security risk monitoring) or by notification to the manufacturer/sponsor by a third party. When a vulnerability is published or discovered (like the examples detailed below), a manufacturer must assess the risk posed on the safe use of the medical device and decide if corrective and preventative action (CAPA) is required based on the level of risk. Even if the risk is assessed to be acceptable due to no known incident of exploiting the vulnerability, a low likelihood of exploitation of the vulnerability, and negligible potential risk of harm to patients, the response should be documented as part of continuous risk management.
Essential Principle 2 requires that manufacturers eliminate or reduce risk as far as possible and inform users of the residual risk that arises from any shortcoming of the protection measures adopted.
Many vulnerabilities remain intentionally undisclosed, and may be leveraged by adversaries to create a 'zero day' situation, which is when a publicly unknown vulnerability is used to create a cyber-attack ('zero day' reflects that the day of the attack and the disclosure of the vulnerability are the same).
Vulnerabilities may have exploits—tools developed to take advantage of (one or more) vulnerabilities. Numerous exploits are publicly accessible, and are packaged as executables or source code. These exploits may also be packaged into toolsets for improved usability (e.g. vulnerability scanners). Others exploits are not public, and are implemented to demonstrate that the vulnerabilities can be used to compromise an ecosystem.
Threats emerge with the existence of vulnerabilities and adversarial motives to exploit these vulnerabilities—a situation that has the potential to cause harm. For example, the threat on patient privacy, such that data may be exposed to unauthorised individuals; or the threat on patient safety, such that a compromised device may no longer complete its intended task. Black hat adversaries may instigate an attack by strategically using several exploits to realise threats and achieve their objectives. The existence of threats on medical devices leads to risks, and manufacturers and sponsors must respond to minimise the risks, as outlined in the following section.
To remain compliant with the Essential Principles a manufacturer or sponsor must establish, document, and update quality management and risk management systems throughout the lifecycle of a medical device. Documenting the effectiveness of any corrective or recall action is required as part of this process.
This involves an ongoing process for identifying hazards associated with the safe use of the medical device, including cyber security vulnerabilities, threats, and estimating and evaluating the associated risks, controlling these risks, and taking corrective action where necessary.
In alignment with a TPLC strategy and as part of a sponsor's post-market obligations, ongoing monitoring and surveillance of safety and performance is required, including monitoring for cyber security issues. This approach to monitoring cyber security intelligence and information should be clearly outlined during the development of the medical device. Cyber security vulnerabilities, threats and risks may be identified by numerous different parties along the supply chain, including:
In order to monitor for vulnerabilities that may affect a given device, the manufacturer should maintain a Software Bill of Materials (SBOM) to cross-reference for improved assessment of risk should a vulnerability be discovered. If a cyber security vulnerability is identified through monitoring activities, the manufacturer should work with the source (where appropriate) to understand the issue and conduct a risk assessment. The outcome of all cyber security monitoring must be documented as part of ongoing risk management, regardless of the level of risk that the activity identifies.
Cyber threat information sharing is an important component for a safe and secure digital ecosystem. Such an information sharing system provides parties along the supply chain, but especially the manufacturer and sponsor, with the capability to identify threats, assess associated risks, and share best practice approaches to addressing these. Information empowers organisations with knowledge to monitor threats and respond accordingly.
In Australia, general cyber security threat information sharing and monitoring can be facilitated through CERT Australia (as part of the Australian Cyber Security Centre). Other Australian options for medical device organisations to formally share information on cyber security threats are currently limited; however, the TGA encourages informal networks of manufacturers to share information on threats and recognises the value of information from international organisations (e.g. health focused Information Sharing and Analysis Organizations (ISAOs) in the USA).
A manufacturer or sponsor's assessment of the risk of patient harm posed by a cyber security hazard that impacts the safety, quality, performance or presentation of a device should consider:
By considering these, manufacturers/sponsors can evaluate whether cyber security vulnerability is creating potential risks associated with an adverse event, a medical device failure or a complaint, and understand if the risk of patient harm is acceptable where there is a low risk to the intended benefit or unacceptable, with a high risk to intended benefit (Figure 2).
Modified from the FDA post-market guidance on cyber security for medical devices
Independent of the outcome of a risk assessment, it is required that all risk assessment activities (including the cyber security monitoring activities outlined above) will be captured, demonstrating application of the risk management strategy (e.g. application of ISO 14971) outlined as part of the pre-market activities. This must include corrective and preventative action (CAPA) plans and incident response activities. Quality management systems should also be updated, if applicable. Risk assessment should be a re-occurring activity with a frequency based on the level of risk and any new information that is uncovered.
Manufacturers are required to remediate cyber security vulnerabilities to reduce the risk of patient harm to an acceptable level.
Manufacturers are required to assess which course of action to take prior to making updates to medical devices (including to software). Such a proposed change may require an associated recall action, e.g., a safety alert, routine update, submission of an adverse event report, or a device recall.
Changes to software that do not have implications for safety, quality, performance or presentation generally do not require any form of recall action; however, the manufacturer should consider whether its certifying body should be notified of the change
If sponsors or manufacturers are unclear as to whether a software update requires a type of recall or non-recall action, they should contact the Australian Recall Coordinator for advice in the first instance.
Manufacturers and sponsors are required to update risk management systems following the rollout of updates to medical devices.
Consult the Uniform Recall Procedure for Therapeutic Goods (URPTG) and follow this procedure as applicable.
Cyber security vulnerabilities, threats and risks may be discovered that pose an immediate and significant threat to the health and safety of users or public health. Cyber security issues may also indicate that there has been actual or potential product tampering. In these cases, devices may require an immediate recall. If such a threat is found, sponsors must:
Cyber security vulnerabilities, threats and risks may be discovered that result in deficiencies or potential deficiencies to the safety, quality, performance or presentation of a medical device and require appropriate recall action to ensure the health and safety of users.
If such a deficiency is found, sponsors must consult the Uniform Recall Procedure for Therapeutic Goods and follow this procedure as applicable.
Sponsors must check whether the issue with the therapeutic good(s) requires a recall before considering a non-recall action. Sponsors must decide the type, class and level of recall.
The type of recall action for cyber security risks depends on the evaluation of the risk of patient harm, the nature of the deficiency and class of the recall. These need to be assessed on a case by case basis. Figure 2 highlights the application of the TGA's three recall classes to the evaluation of patient harm. These are outlined below, as per the URPTG.
The URPTG defines four types of recall actions:
Recall actions related to cyber security could be class I, II or III.
Not all issues require recall actions. A non-recall action can be conducted if:
The decision to go ahead with a non-recall action needs to be made and agreed upon in consultation with the TGA.
Four types of non-recall actions may be appropriate:
Alongside the recall and non-recall actions described above, the TGA has a range of other compliance tools it can use if risks identified in relation to a medical device are not managed appropriately. These include:
In Australia, cyber security threat information sharing and monitoring can be facilitated through CERT Australia (operated under the Joint Cyber Security Centres as part of the ACSC) and AusCERT (not-for-profit organisation under the University of Queensland). Internationally, the US based ICS-CERT provides regular updates concerning known medical device threats.
Effective threat intelligence sharing for medical device developers, manufacturers, sponsors and users should consider the following aspects:
Manufacturers and sponsors must demonstrate how they will gather information regarding emerging cyber security vulnerabilities that may impact the safe operation of their medical device, and demonstrate assessment and any relevant action as part of ongoing risk management. This is necessary to ensure that a medical device included in the ARTG continues to meet the requirements of the Essential Principles.
This can be achieved by ensuring that complaint monitoring processes for manufacturers and sponsors includes cyber security issues. Manufacturers and sponsors are encouraged to:
[8] | See subsection 41FN(3) of the Therapeutic Goods Act 1989 |
---|---|
[9] | See Part 4-6 of Chapter 4 of the Therapeutic Goods Act 1989 |
[10] | See subsections 41MN(1), (4) and (4A) of the Therapeutic Goods Act 1989 |
[11] | See subsection 41MNA(1)) of the Therapeutic Goods Act 1989 |
[12] | Potential harm to a patient from the exploitation of a cyber security vulnerability may include physical or psychological harm through negative impact on the patient's health and safety. Other risks may be privacy or financial. |
The following list, which is not exhaustive, contains examples of known cyber security vulnerabilities for medical devices.
The TGA is responsible for the continued safety, quality and performance of medical devices affected by cyber-related issues.
The Australian Government released Australia's Cyber Security Strategy in 2016. This strategy recognises that improving cyber security is a whole-of-economy challenge, and details priority actions to improve Australia's general cyber security posture, alongside supporting the growth of the local cyber security industry.
Putting the cyber security strategy into operation and providing a cyber secure environment that ensures stability for businesses and individuals to operate in is the responsibility of the Australian Government, specifically the Department of Defence and relevant agencies, including the Australian Signals Directorate (ASD) via the Australian Cyber Security Centre (ACSC).
The digitalisation of consumer and professional health technology is rapidly gathering traction, with increased application of wireless communication, cloud services, artificial intelligence (AI) and other technologies.
Some of this technology meets the definition of a medical device, while some does not. Medical devices will increasingly be used in a wider variety of professional, personal and public environments, leading to new cyber security implications from an evolving cyber threat landscape.
Increased connectivity and digitisation of health technologies drives a changing cyber landscape, creating new vulnerabilities for medical devices. Likewise, vulnerabilities from across the broader IT ecosystem can affect digital health technologies.
As technology progresses, the capabilities and functionality of medical devices are becoming more digitised and interconnected. Software in particular is becoming increasingly important and pervasive in healthcare. As the digital complexity of devices increases so does the potential for cyber security risk through hardware and software vulnerabilities and increased exposure to network and internet-based threats.
In order to support Australia's medical device cyber security capability, the TGA has produced cyber security guidance for industry as well as guidance for users to embed cyber security practices and protocols across the medical device sector (developers, manufacturers, sponsors, health professionals and patients).
Please note that TGA requirements may not be the only relevant regulatory requirements. For example, you might be required to use the Office of the Australian Information Commissioner's Notifiable Data Breach Scheme under the Privacy Act 1988.
Manufacturers and sponsors need to consider and plan for an evolving cyber security landscape in order to maintain patient safety. The cyber–physical–human nature of many connected medical devices leads to cyber security vulnerabilities that cover traditional information security challenges, but also physical patient safety, though these are by nature difficult to predict. For example:
Enabling medical devices to be cyber-secure is a requirement for regulatory compliance in Australia. Supporting greater cyber-maturity and resilience into Australia's medical device industry will improve the security culture of our healthcare industry and reduce the risk of devices causing patient harm through cyber vulnerabilities. To achieve this, medical device manufacturers and sponsors are also considering cyber security more broadly within their organisations, including workforce skills, strong leadership, and technology solutions.
Beyond immediate patient harm, a single high profile adverse cyber event can disrupt professional and social trust in medical device advancement and the healthcare system more broadly, hindering innovation, development and deployment of digital health solutions for several years. Motivations for attacks on medical devices and associated networks may include:
Highlighted below are emerging social and technological trends that are affecting the cyber threat landscape and associated implications for the healthcare and medical device industry. The cyber security effect that arises from each trend is an important consideration for all stakeholders in the healthcare and medical device industry.
Trend name | Trend observations | Cyber security considerations |
---|---|---|
Consumer control and experience |
|
|
Integration of health service and supply chains |
|
|
Global Connectivity |
|
|
Precision and personal healthcare |
|
|
Increased data generation and exchange |
|
|
Healthcare: a vulnerable industry |
|
|
The rapid change of pace of the cyber security threat landscape relative to the development and implementation of standards means that manufacturers, sponsors and in some circumstances, users of medical devices, must continually assess and understand emerging global cyber security standards and frameworks that are being applied across other industries. This might include defence and financial services where infrastructure security and information confidentiality and integrity are primary drivers. It may also include the Internet of Things community within which connected medical devices are implicitly included, especially consumer devices.
The tables below provide a non-exhaustive selection of frameworks and standards that may be of interest to medical device manufacturers and sponsors seeking to include a device on the ARTG in Australia.
Organisation, year | Name of Document | Summary |
---|---|---|
European Union Agency for Network and Information Security (ENISA) |
Baseline Security Recommendations for IoT, in the context of critical information infrastructures |
This focuses on security considerations rather than standards. |
IEEE Standards Association |
Internet of Things Related Standards Medical device communications |
A comprehensive list of IoT standards Protocols for information exchange |
National Institute of Standards and Technology (NIST), U.S. Department of Commerce, 2018 |
Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) (NISTIR 8200) |
Covers connected vehicles, consumer IoT, Health IoT, smart buildings, smart manufacturing Looks at cybersecurity risks as well as standards |
Organisation, year | Name of Document | Summary |
---|---|---|
ISA/IEC-62443 series of standards |
Industrial Automation and Control Systems Security |
Define procedures for implementing electronically secure manufacturing and control systems and security practices and assessing electronic security performance |
NIST, 2015 |
NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security |
Guidance on how to secure ICS, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. |
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), 2016 |
Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies |
Strategies for defence and recommendations for securing ICS |
Organisation, year | Name of Document | Summary |
---|---|---|
World Bank Group, 2017 |
Financial Sector's Cybersecurity: A regulatory Digest |
A compilation of recent cybersecurity laws, regulations, guidelines and other significant documents on cybersecurity for the financial sector. |
Organisation, year | Name of Document | Summary |
---|---|---|
Defence Federal Acquisition Regulation Supplement (DFARS) |
Defence Federal Acquisition Regulation Supplements (DFARDS) and Procedures, Guidance and Information (PGI) |
DFARS outlines cybersecurity standards a third party must meet and comply with prior to doing business with the Department of Defence in order to protect sensitive defence information. |
The TGA aims to harmonise where appropriate with relevant international guidance. Many international jurisdictions will have regulatory guidance and information that is in line with global best practice concerning cyber security quality management and risk management systems, and therefore broadly in line with the expectations of the Essential Principles. Ideally, this facilitates the import and export of medical devices to and from Australia.
There are a number of guidance documents on the cyber security of medical devices that have been published or are under development by international medical device regulators. Some of these are discussed below. This is not an exhaustive list of global guidance materials. Meeting the regulatory requirements of one jurisdiction does not automatically mean compliance with the Essential Principles.
For a medical device to comply with the Essential Principles, the TGA requires that the design and construction will conform with generally acknowledged state of the art safety principles, including quality management and risk management systems.
In the USA, the FDA's Centre for Devices and Radiological Health (CDRH) has published several guidance documents that are relevant for cyber security. These are available on the FDA website:
Also in the USA, the National Institute of Standards and Technology (NIST), through its National Cybersecurity Centre of Excellence (NCCoE) has produced Cyber Security Practice Guides for various industries, including healthcare:
The ECRI Institute, an independent non-profit organisation that researches approaches to improving patient care, has significant global activity in medical device cyber security and has published a series of relevant subscription based guidance documents (log in required):
The International Medical Device Regulators Forum (IMDRF) has worked to further a unanimous understanding of challenging topic areas, such as Software as a Medical Device (SaMD), which have a high risk of being exposed to malicious cyber activity. In addition, IMDRF has recently formed a working group to directly address cyber security. Relevant documents are available on the IMDRF website (in both PDF and DOCX formats), and include:
In Europe, the new Medical Device Regulation has introduced a specific requirement for cyber security for medical devices. This Regulation, (EU) 2017/745, will be fully implemented by 2020. More broadly, the European Union Agency for Network and Information Security (ENISA) has published guidance on baseline security for Internet of Things (IoT):
Cyber security for medical devices is a growing area of focus across many other jurisdictions. In some of these jurisdictions, authorities external to country's health departments are investigating cyber security approaches for a range of Internet of Things devices, including connected medical devices. Examples of guidance are highlighted below. Note that some of these are draft, and the fast moving nature of this topic means that there are many jurisdictions and examples of guidance not included here:
The glossary for this guidance is included in the TGA glossary.
Version | Description of change | Author | Effective date |
---|---|---|---|
V1.0 | Original publication | Medical Devices Branch | July 2019 |