As technology continues to advance, so do the medical devices that are used to sustain life. While in South Korea, various types of medical devices capable of communication have been developed, the development is accompanied by the risk of cybersecurity threats such as hacking of medical devices and information leaks. These threats are not only applicable to property loss, but also to patients’ lives, and that is why safeguarding medical device cybersecurity is a core concern.
To address these concerns, the South Korean government has established guidelines for the cybersecurity approval (Guide-0995-03 2023.07.13) and review of medical devices. The South Korean medical device regulations aim to secure the safety management of medical devices capable of communication, and in turn, highlight the importance of cybersecurity for medical devices.
Why are Cybersecurity Guidelines Required?
Medical devices are often implanted inside patients’ bodies to serve life-sustaining functions, which means that any cybersecurity threat could have dire, even fatal, consequences. The guidelines on the cybersecurity of medical devices seek to prevent such threats by ensuring that the devices are secure and that the data they transmit is protected.
Key Considerations for Enacting New Guidelines and Guides
The key considerations to be kept in mind when enacting new cybersecurity guidelines and guides are that it is important to clarify the target of the medical device, apply the device according to its characteristics, and secure safety management if the device is capable of communication. The guidelines, aimed at achieving international harmonization, have borrowed and applied considerations from the Medical Device Cybersecurity Principles and Guidelines set forth by the International Medical Device Regulators Forum (IMDRF) (Principles and Practices for Medical Device Cybersecurity, IMDRF [2020]).
Basic Principles of Medical Device Cybersecurity
The basic principles of medical device cybersecurity comprise a set of guidelines that outline the key considerations for ensuring the cybersecurity of medical devices. They include availability, confidentiality, and integrity. Let us briefly look at these three (03) principles:
- Availability refers to making the data available immediately to authorized users.
- Confidentiality refers to protecting the data from unauthorized access.
- Integrity refers to ensuring that the data is accurate and has not been tampered with.
These principles are central to the cybersecurity management of medical devices, as they help ensure the safety and security of the devices and the data that they transmit.
Risk Management Process for Medical Device Cybersecurity
The guidelines specify that manufacturers need to carry out appropriate cybersecurity risk management processes for medical device cybersecurity in South Korea. Here are a few key aspects of the risk management process:
- The process should involve identifying potential cybersecurity threats, assessing the risks associated with the threats, and developing strategies to mitigate the risks.
- Manufacturers should record the process in the risk management report.
- Manufacturers must establish and maintain a systematic procedure for reviewing cybersecurity information during the production and post-production phases.
- Manufacturers should establish cybersecurity objectives with appropriate functions and levels. Moreover, they need to consider the consequences of risk assessment and treatment.
- Emphasis is placed on the continuous collection and analysis of information on the intentions of internal and external customers throughout the lifecycle of medical devices. Further, it is important that this information is reflected in the medical device cybersecurity risk management.
Application of Medical Device Cybersecurity Requirements
The guidelines consist of a table with examples of considerations for the application of medical device cybersecurity requirements with regard to medical device quality assurance and Regulatory compliance. The table includes three (03) categories of considerations – major, moderate, and minor – which are elucidated below:
- Major Consideration: The major consideration is the possibility of serious injury to patients, or even death, permanent impairment of body functions, and permanent damage to body structure due to cybersecurity breaches of medical devices.
- Moderate Consideration: The moderate consideration is that medical device cybersecurity breaches may result in minor or temporary injury to patients, which may require medical intervention.
- Minor Consideration: The minor consideration is that medical device cybersecurity breaches may cause temporary inconvenience or reversible, minor, and short-term inconvenience to patients, which do not require medical intervention.
Apart from the above categories, the table also includes considerations related to cable communication, wireless communication, and cybersecurity risks occurring due to infringement.
Two (02) Key Checklists for Medical Device Cybersecurity
Checklist for Medical Device Cybersecurity Requirements:
- Manufacturers need to use this checklist form when reviewing their medical devices for cybersecurity requirements.
- They should fill up the form in accordance with the characteristics of their respective devices.
- The form is the basis for confirming that manufacturers have satisfied all the cybersecurity requirements.
- The checklist includes the “Cyber Security Risk Management Document” and the “Software Verification and Validation Data”.
The table below (Table 1) illustrates the medical device cybersecurity checklist for medical devices in South Korea.
Table 1: Checklist for Medical Device Cybersecurity in South Korea
|
|
Cybersecurity Requirements |
Applicability of the Corresponding Device |
Compatibility Proof Method Used |
Document Number or the Corresponding Attached Document |
|
Security Communication |
Manufacturers should mention how to connect their medical devices via Internet, Bluetooth, etc., as well as the design characteristics and the security of translated data. |
XXX |
XXX |
XXX |
|
Device Data Protection |
Manufacturers must decide if their devices require encryption or protected messaging; they also need to evaluate the architecture at the system level to determine if design features are required for ensuring data non-repudiation. |
XXX |
XXX |
XXX |
|
Device Integrity |
Manufacturers should consider risks to the integrity of devices, such as unauthorized changes to it. They should be cautious of software, viruses, spyware, etc. |
XXX |
XXX |
XXX |
|
User Certification |
Some examples of user access control are passwords, hardware keys, raw chain authentication, etc. |
XXX |
XXX |
XXX |
|
Software Maintenance Number |
Manufacturers should consider providing users with all the updates details, timelines, and requirements. |
XXX |
XXX |
XXX |
Checklist for Guidelines/Guidebook Establishment/Revisions:
- Manufacturers need to use this checklist when establishing or revising guidelines or guidebooks.
- They must check if the content deviates from the upper laws and whether it establishes/strengthens new regulations or restricts sensitive civil complaints.
- If the answer is “yes” to whether it establishes/strengthens new regulations, they should delete the content that deviates from the upper statute and proceed with the process of establishing and revising the guidelines and guides.
- The checklist includes the designation of the guidelines or guidebooks and checks of the items related to application considerations.
Data Submission for Medical Device Cybersecurity
The guidelines lay out specific requirements for submitting data related to medical device cybersecurity. The submitted data must meet the following criteria for medical device approval:
- The data must be related to medical devices capable of wireless communication or having a communication path.
- Among the data on call performance, manufacturers must submit the “Software Verification and Validation Data” and the “Medical Device Software Conformity Verification Report”.
- The submitted information must not be falsified, malfunctioned, or approved for medical devices.
- Manufacturers must apply cybersecurity requirements as a countermeasure to prevent unauthorized access of medical devices.
- Manufacturers must confirm compliance with medical device cybersecurity requirements by submitting the “Medical Device Cybersecurity Requirements Checklist” and materials that verify the requirements of the checklist.
- Manufacturers may apply by excluding or modifying some of the requirements through risk analysis; the relevant data must be submitted with the “Cyber Security Risk Management Document,” according to Article 26 of the guidelines.
Overall, the guidelines for cyber security approval and review of medical devices serve as a valuable resource for manufacturers, users, and regulators, as they help ensure the safety and security of medical devices. If you are a manufacturer looking to sell your medical devices in South Korea, you must ensure that your devices meet the cybersecurity requirements outlined in the guidelines. Our team of experts can help you navigate through South Korean medical device regulation; they will ensure that your devices meet the cybersecurity requirements, and that you submit the necessary data for approval and review. Contact Freyr to learn more about how we can help you safeguard your medical device cybersecurity in South Korea. Stay informed! Stay compliant!
Category
