You are here
Pre-market regulatory requirements
Sponsors intending to include a medical device on the ARTG for supply in Australia need to meet their legal obligations under the Act and MD Regulations. In demonstrating compliance with the Essential Principles, the Sponsor needs to demonstrate that cyber security risks have been addressed.
The TGA has a risk-based approach to the regulation of medical devices. The level of scrutiny by the TGA of a device before it is placed on the ARTG and supplied in Australia depends on the risk posed by the device. The lowest risk medical devices, Class 1 devices, are not assessed by the TGA prior to inclusion on the ARTG. For all classes of medical devices, evidence is required to be made available when requested by the TGA to demonstrate that medical device risk, including cyber security risk is being managed by appropriate quality management systems and risk management frameworks. The regulations specify that some applications are subject to mandatory application audits, with other types of applications subject to non-mandatory application audits.
All medical devices that include software are susceptible to cyber security risks. Manufacturers of medical devices must demonstrates how cyber security risk has been minimised during the design, development, manufacturing, and supply of a medical device, and how post-market requirements will be satisfied. These activities are critical to reduce the likelihood of cyber-security vulnerability being exploited leading to unacceptable risk to a patient, and for the management of emerging and ongoing cyber security risk and they should be documented in a manufacturer's quality management system.
Alongside the TGA's regulatory requirements for device safety, performance and quality, manufacturers are reminded that some devices may also have other regulatory requirements that need to be met, for example, the Office of the Australian Information Commissioner's Notifiable Data Breach Scheme under the Privacy Act 1988.
To meet the requirements of the relevant Essential Principles, a manufacturer is required to eliminate identified cyber security risk, or reduce the risk to an acceptable level. The potential for new cyber security risks that will emerge over the usable life of the device must also be considered and planned for, with upgrade pathways proactively developed where appropriate to address these issues once the device is on the market. Manufacturers should also proactively consider how to reduce risks associated with device obsolescence.
To reduce cyber security risk throughout the design and development phases, there are two approaches that assist in understanding cyber security risk as early as possible. Consideration of these approaches also assists with compliance with the Essential Principles. They include:
- Secure by design: developing an understanding of cyber security vulnerabilities associated with the medical device and the potential risk during the initial design and development phase. Early assessment allows adaptable cyber security measures to be incorporated in the device design, such as minimisation of the potential attack surface, secure code, etc. The Software Assurance Forum for Excellence in Code (SAFECode) publishes information concerning secure software development.
- Quality by design: building on the secure by design approach, quality by design involves understanding and mitigating the potential risks introduced with each function of the medical device, its manufacturing process and the environment in which the device is used. These risks may include cyber security, privacy, usability, safety and other associated risks. While an increase in functions (e.g. Bluetooth connectivity) may lead to improved usability, the way the function is designed, manufactured or used may also increase the device's exposure to cyber security vulnerabilities. More exposure increases the likelihood of a cyber security vulnerability being exploited, leading to potentially unacceptable risks. Early assessment allows for a stronger balance between functionality and cyber security.
Application of standards
The Essential Principles require that design solutions adopted by medical device manufacturers will have 'regard to the generally acknowledged state of the art'. In many instances, this expectation is achieved by the application of standards, some of which are outlined in Relevant Standards. The standards outlined in Table 3 are generally expected as a baseline during the design and development of a medical device; however, depending on the device, compliance with the Essential Principles may necessitate implementation of additional standards (information in Relevant Standards).
Manufacturers should be mindful that application of standards alone does not guarantee compliance to the Essential Principles. Additionally, application of standards does not guarantee adequate cyber security given the rapidly changing pace of cyber-attacks against the typical timeframes for standards development and implementation.
Medical devices - Application of risk management to medical devices
Medical devices - Quality management systems—Requirements for regulatory purposes
Medical device software - Software life cycle processes
IEC 60601 (series)
Medical electrical equipment - General requirements for basic safety and essential performance
* Use the current version of each standard as appropriate.
Risk management strategies
Risks that must be managed are detailed in the Essential Principles. Broadly, these include risks associated with the intended use of the device, long term safety, transport and storage, reasonably foreseeable environmental conditions, and unavailability of maintenance and calibration. The development of risk management strategies - the continuous approach to identifying, estimating and reducing risk - is required in order for a medical device to comply with the Essential Principles; cyber security risk management can be readily included in these strategies. A separate cyber security risk assessment in addition to the product risk assessment is an acceptable approach.
Two potential strategies to manage risk are detailed below, including the process outlined in ISO 14971 and the USA's National Institute of Standards and Technology's (NIST) cyber security framework. While ISO 14971 is the most commonly applied risk management strategy, others can be used as long as they ensure a manufacturer is adequately assessing, controlling and monitoring risks.
ISO 14971 standard
The ISO 14971 standard specifies a process through which the manufacturer of a medical device can identify hazards associated with a medical device, estimate and evaluate the risks associated with these hazards, control these risks, and monitor the effectiveness of that control.
The following qualitative levels of severity of patient harm, based on descriptions in ISO 14971, could be used in a cyber security risk assessment:
- Negligible: Inconvenience or temporary discomfort
- Minor: Results in temporary injury or impairment not requiring professional medical intervention
- Serious: Results in injury or impairment requiring professional medical intervention
- Critical: Results in permanent impairment or life-threatening injury
- Catastrophic: Results in patient death
The quantity of patients affected by the risk may warrant an increase in the severity of harm, for example it may be more appropriate to describe a critical level of harm to many patients as catastrophic.
The following summary is provided as an example of a risk management process under ISO 14971:
- Implement a risk management framework
- Establish the risk management process
- Establish relevant roles and responsibilities
- Establish appropriate documentation
- Create a version controlled risk management file
- Define the intended use of the medical device
- Identify hazards
- What are the known cyber security vulnerabilities?
- Define hazardous situations and foreseeable use
- Develop cyber security scenarios that are likely in the foreseeable use
- Estimate the level of risk
- How likely is it that cyber security vulnerabilities will be exploited to create unacceptable levels of risk?
- Evaluate the identified risk
- Is the risk acceptable?
- If not acceptable, it will need to be reduced to an acceptable level
- Risk control
- Has the cyber security risk been reduced as far as possible or to a level that is outweighed by the benefits of the component/function that introduced the risk?
- Evaluate entire product risk acceptability
- Is the risk acceptable?
- Do the benefits of the medical device outweigh the risks?
- Risk management reporting
- Complete a review and prepare appropriate documentation and reports prior to seeking regulatory approval.
- Post-market risk management
- Complete activities for risk minimisation from a total product life cycle perspective; internal risk management audits, corrective and preventative action (CAPAs), etc.
National Institute of Standards and Technology
Development of a risk management strategy in line with the USA's National Institute of Standards and Technology's (NIST) cyber security framework is an approach used as a way to address cyber security risks. Originally developed for critical infrastructure, the framework is also beneficial for manufacturers of medical devices and the broader healthcare ecosystem. The framework describes a series of concurrent and continuous cyber security functions that underpin a cyber security risk management strategy for both pre- and post-market phases:
- Identify: Develop an organisational understanding of cyber security to effectively manage cyber security risk associated with medical devices
- Protect: Develop and implement appropriate actions to ensure that a medical device can safely deliver its intended function, balancing security and usability
- Detect: Develop and implement appropriate activities to identify the occurrence of a cyber security event that changes the risk profile of a medical device
- Respond: Take appropriate action to ensure that cyber security risk is minimised for a medical device with a new risk profile
- Recover: Implement activities to increase medical device cyber resilience and to restore any capabilities or services that were impaired due to a cyber security incident
Implementing a cyber security risk management strategy that is based on this framework may assist in meeting the requirement for a medical device to obtain and maintain regulatory compliance in Australia.
Management of manufacturing and supply chain
Medical device manufacturers need to consider the cyber security practices of their manufacturing and supply chain, ensuring that relevant components used within or for the construction of the device are appropriately cyber secure, and will meet the requirements of the Essential Principles, in particular:
- Essential Principle 2: Design and construction of medical devices to conform with safety principles
- Essential Principle 4: Long-term safety
- Essential Principle 5: Medical devices not to be adversely affected by transport or storage
- Essential Principle 9: Construction and environmental properties.
Contractual negotiations and agreements should clearly outline cyber security expectations from the medical device manufacturer or sponsor responsible for the device once it is supplied in Australia. Manufacturers should investigate and ask questions to understand the cyber security practices and response plans of their suppliers and any platforms that their products will operate on or be distributed through (this includes mobile devices, web services and cloud services). On-going monitoring of practices should also be implemented and manufacturers should act in a timely manner should they discover a cyber security (or other) issue from a component within their supply chain.
Agreements should include expectations about cyber security practices of third parties to ensure the confidentiality, integrity and availability of applicable systems. Where appropriate, thresholds and timelines for supply chain reporting of cyber security incidents should be agreed
Provision of information for users
Essential Principle 9 requires, among other things, that a medical device manufacturer must ensure that a medical device is designed and produced in a way that ensures that, as far as practicable, the risks associated with reasonably foreseeable environmental conditions are removed or minimised. To meet this requirement and those of Essential Principle 13 (Information to be provided with medical device), appropriate information on cyber security must be provided to users of medical devices. This should include plain-language information for users with little or no cyber education, and technical language information for those with more advanced understanding. Considerations for cyber security specific information that may need to be provided in line with Essential Principle 13 can be found in Table 1.
Effective communication is required for consumers to understand risk, and give informed consent to treatment. This can be a challenge when both the clinician and the consumer may lack specific expertise on medical device cyber security, compounded by the rapidly changing pace of cyber security. Because of this potential mutual lack of cyber expertise, the requirements for manufacturers to provide clear, high quality and usable information to clinicians and consumers about cyber security risks and how to mitigate them are vitally important.
Clinicians need to be armed with the information to have a meaningful discussion with the patient about the risks and benefits of a particular device they are prescribing, including cyber security risk. This information needs to be in a language that is relevant to them, and their patients. In the case of high risk devices, clinicians must also have access to information to understand how and when to apply an update to a device.
Provision of information is also important for consumer focused medical devices, where the device may be used in a home environment (with limited cyber security protection) or a public environment which by nature is highly accessible.
As healthcare service providers increasingly strive to create a cyber secure environment, medical device manufacturers and sponsors supplying to these service providers will be asked for more specific information on cyber security risk mitigation measures during procurement activities. Collaboration between these organisations is essential to creating a more cyber secure healthcare environment. The USA's National Electrical Manufacturers Association (NEMA) provides an example form that manufacturers might consider when providing information to healthcare services providers (see Manufacturer Disclosure Statement for Medical Device Security). Further, a list of potential questions suggested for these procurement teams are listed in the TGA's medical device cyber security guidance for users of medical devices. These include:
- What security measures have been built into the device?
- What measures are in place to protect patient safety?
- What measures are in place to protect the confidentiality, availability and integrity of patient data?
- How has security been addressed at the user interface level?
- What security protocols and frameworks have been used?
- What are the known cyber security vulnerabilities for the device?
- Has the manufacturer assessed the cyber security of key components within the device (i.e., development environment, build tools, and the supply chain)?
- Does the manufacturer/sponsor provide an ongoing service to manage the security of the medical device(s), and how will they respond to future cyber security incidents?
- A medical device often has a long lifecycle—does the manufacturer/sponsor have enough resources to support the security requirements throughout the lifecycle?
- How is data from the device logged and stored? Are third party cloud services used and if so, what are their privacy and security policies? Is the data stored onshore?
- How will the manufacturer respond in the future if a medical device cyber security incident occurs?
- Has the company experienced any cyber security issues over the past 12 months and how were these managed?
Technical cyber security considerations
There are a number of technical cyber security considerations that a manufacturer should address during the pre-market development of a medical device to help ensure that cyber security risks to patient safety are designed out, removed, eliminated, reduced or otherwise managed. A number of these considerations are detailed here; however, manufacturers should be aware that technical considerations will vary depending on the device in question, the intended use, and the environment of use. Refer to ACSC (Australian Cyber Security Centre), and in particular, the “Essential Eight” baseline mitigation strategies to protect against cyber threats.
Modularised design architecture
- It is best practice to modularise or partition aspects of the design architecture to enable independent function of modules for cyber security.
- A modularised approach promotes medical devices that can be updated and adapted to changes in the cyber security risk profile over the total life cycle of the product.
- A secure operating platform, such as a security-verified microkernel, verifies the design architecture and enforces component separation in the designed partitions in order to prevent a critical software component from being negatively affected by other software components and cyber security attacks targeting them.
- Smaller components are easier to assess for cyber resilience, by application of methods including formal mathematical proofs. Reuse of validated or verified trustworthy modules in different devices will improve overall cyber security, with reduced effort.
Cyber security assessment and penetration testing
- Consider implementing penetration testing initiatives (commensurate with risk level) to validate the effectiveness of medical device cyber security measures and internal risk management practices, and identify unknown vulnerabilities:
- Invasive tests involving simulated malicious attacks to evaluate the effectiveness of managing possible and probable attacks, e.g. malicious input, authentication bypass, and illicit operation.
- Cyber security performance testing should be performed by a qualified party independent of the development team. Collaboration or partnership with 'white-hat' hackers, biomedical engineering teams and cyber security professionals is recommended.
- Utilise information from recognised organisations and industry groups regarding application security risks. One example of an accessible source is the Open Web Application Security Project which describes a Top 10 most serious web application security risks on a yearly basis.
- It is recognised that some critical systems may not be removed from production for testing, and if feasible, a twin system for testing is recommended to overcome this. Network threat modelling using approaches such as the MITRE ATT&CK framework are also recommended to improve the cyber resilience of devices.
- Regular code review and penetration testing should cover assessment of common cyber security vulnerabilities (like the examples in Appendix 1: Known vulnerabilities) through database checks, use of known exploits and tools like vulnerability scanners, or software behaviour analysis using specific scenarios. Cyber security risks that should be assessed include:
- Insufficient use of appropriate encryption and authentication protocols
- Use of insecure function calls, e.g. causing overflow type of vulnerabilities
- Insufficient protection for security credentials, e.g. hard-coded passwords
- Insufficient information security capabilities, e.g. missing or improper use of confidentiality, integrity and availability measures
- (Un)intentionally left debugging features and comments, e.g. debugging hooks, open JTAG ports
- Improper use of control statements, e.g. improper checks for unusual or exceptional conditions
- Wrong implementation of algorithms and protocols, e.g. OpenSSL Heartbleed
- Flaws in algorithm and protocol designs, e.g. Compression Ratio Info-leak Made Easy (CRIME) vulnerability of TLS Compression
- Malicious codes and code segments, e.g. malwares such as virus and worms
- Software components development through an unknown or incompetent development process, i.e. software of unknown provenance (SOUP)
- Listed (e.g. NVD, CERT, ACSC) vulnerabilities for off-the-shelf components (kernel, driver, firmware, application), libraries and API
- Lack of input sanitation and data validation, e.g. allowing potential injection attacks
- Checking potential vulnerabilities through control flow analysis.
- Take action on outcomes of penetration testing by assessing the risk(s) of the affected functions, and consider solutions that address the risk(s) according to Essential Principle 2.
- Continual assessment of the threat landscape and up-to-date intelligence on new and emerging vulnerabilities is vital to cyber security assessment.
Operating platform security
- Assessment of the cyber security (under the development approach) of third party operating systems and hardware platforms needs to be completed in order to meet the Essential Principles (EPs), in particular EP 2 (Design and construction of medical devices to confirm with safety principles), EP 3 (Medical devices to be suitable for intended purpose) and EP 9 (Construction and environmental properties).
- This is particularly critical for software development where the product is intended to operate on a consumer mobile device, or utilise a web or cloud service. It is required that the manufacturer or sponsor will have assessed the cyber security risks introduced by the third party platform and inform the user where there is residual risk, in order to meet the requirements of the Essential Principles.
- High-level considerations include the cyber security protections and support that a third party provides for its platform (covering differential responsibilities, processes and risks specific to the medical device domain), the ability to remove or disable unused functions, its default network security, and its accessibility if the user is expected to complete patching and performance updates.
- When possible, reduce the number and complexity of operating system components to reduce the attack surface, e.g. by using a simplified kernel design, or a stripped down operating system.
- When possible, implement code signing for firmware updates. These signatures include a signed hash of the firmware code which can be checked by the device before installing. An incorrect signature may indicate that the firmware is from an unauthorised (potentially malicious) source or that the firmware code has been tampered with.
- Manufacturers must consider the risks associated with available update methods and pathways, whether manual, remote access, continual updating using cloud/virtual systems, or another approach. Additionally, manufacturers must consider the ability for secure updating of a medical device during its lifecycle to account for emerging cyber risks, and demonstrate that the approach is in alignment with current state of the art practice.
Trusted access and content provision
- Manufacturers and sponsors are encouraged to implement trusted access measures for network connected devices to prevent unauthorised access and to reduce cyber security risk. This should focus on securing activities that will be undertaken by the medical device user and ensuring the device can only access networks that are absolutely necessary. Measures that manufacturers should consider include:
- Consider both physical and network access requirements—this might include removal of internet accessibility and direct network connectivity where appropriate and physically locking a device
- Incorporate multi-factor authentication, build in state of the art access requirements (e.g. password, biometric, smartcard), account lockout protocols, and automatic timed methods to terminate sessions where appropriate
- Establish logs to ensure traceable access to the device and audit logs to ensure trusted and credentialed access
- Utilise user profiles that limit device access and privileges, balancing access and security (role based access).
- Encryption of medical device data is recommended, both at rest and in transit, where appropriate.
- Manufacturers need to ensure that, as far as practicable, risks associated with the foreseeable environmental conditions are minimised which includes security risks of the networks on which a medical device is intended to operate on (Essential Principle 9 Construction and environmental properties - see Table 1).
Refer to the ACSC (Australian Cyber Security Centre) website for more details.
|Software Assurance Forum for Excellence in Code (SAFECode), Fundamental Practices for Secure Software Development; Essential Elements of a Secure Development Lifecycle Program, Third Edition, March 2018, [Online] Available from: https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf (pdf,762kb)* - Accessed: 10/03/19
|Therapeutic Goods (Medical Devices) Regulations 2002, Schedule 1, clause 2(1) - Essential Principle 2(1)
|Speer, J. (n.d.). The definitive guide to ISO 14971 risk management for medical devices, [Online] Available from: https://www.greenlight.guru/hubfs/Sales_Material/gg_guide_to_risk_management.pdf (pdf,339kb). Accessed: 9/11/2018
|NIST (2018). Framework for Improving Critical Infrastructure Cybersecurity, [Online] Available from: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (pdf,1.01Mb)*. Accessed: 28/09/2018
|Essential Principle 9.2(b)
|Storm, B., Battaglia, J., Kemmerer, M., et al (2017). Finding Cyber Threats with ATT&CK™-Based Analytics, MITRE Corporation, [Online] Available from: https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf (pdf,710kb)* Accessed: 13/03/2019