With the development of technological advancements, there is an increase in the usage of network connection technology for medical devices. The connected medical devices store and transmit the patient data and demand both privacy and accuracy. Therefore, the cybersecurity of medical devices will continue to be in focus for regulators and manufacturers.
While developing a device, the manufacturers must be aware that it will be subject to fool proof against any kind of cyber threats and mitigate such events leading to consequences in data integrity and patient privacy. Hence, the global Regulatory Agencies have developed several standards and requirements to assist the manufacturers in creating safe, secure, and efficient medical devices. In this blog, let’s understand some of the best practices for medical devices cybersecurity that are found in the IEC 62304 and ISO 14971 standards.
IEC 62304 Standard for Entire Medical Device Software Lifecycle
Known as a functional safety standard, IEC 62304 covers medical device software design and maintenance practices throughout the product lifecycle. It applies to both SaMD (Software as a Medical Device) and medical devices with embedded software as part of their functionality. One of the best practices of this standard is building safety measures at the beginning of the development. The safety-related processes are determined from the standard’s software safety classification guidelines, impacting the entire software cycle requirements. The three (03) safety classes for software-related medical devices are:
- Class A: No injury or damage to health is possible.
- Class B: Injury is possible but not severe.
- Class C: Death or serious injury is likely.
There are nine (09) parts of IEC 62304, which outline the different aspects of a medical device, as detailed below:
- Part 1: Scope
- Part 2: Normative references
- Part 3: Terms and definitions
- Part 4: General requirements
- Part 5: Software development process
- Part 6: Software maintenance process
- Part 7: Software risk management process
- Part 8: Software configuration management process
- Part 9: Software problem resolution process
ISO 14971 Standard for Medical Device Risk Management
This international standard is primarily focused on medical device risk management, and it applies to patient safety and ensures a safe contact between the device and the patient or end-user. The safety-related procedures in various stages throughout the product lifecycle have to be showcased through the documentation and implemented accordingly. The essential components of the risk management guidelines are risk analysis and mitigation. One should foresee the ways in which the connected devices might fail and what might be the consequences of the failures. This will help to build in the necessary fail-safes to mitigate the potential for a hazard. AAMI (Association for the Advancement of Medical Instrumentation) published a technical report known as TIR57:2016, which is related to ISO 14971, and it outlines the principles of medical device security. This report bridges the connection between security risks (includes data and system security breaches and reduction of effectiveness) and safety-related risk management practices found in ISO 14971.
TIR57:2016 provides guidance on conducting cybersecurity risk assessments of medical devices and managing risks from security threats, impacting the device’s confidentiality, integrity, and availability, or the information processed by the device. Also, the IEC 80002-1:2009 standard for medical device software provides guidance on applying ISO 14971 to medical device software and focuses on the risk analysis, risk management, risk evaluation, and risk controls as applicable to medical device software.
Finally, as there is an increase in network-connected medical devices, the manufactures must abide by the proposed Regulatory standards to avoid or mitigate the cybersecurity risks. To get the best solutions for full lifecycle management of your connected medical devices, consult Freyr - a proven Regulatory expert in the space. Stay informed. Stay compliant.