New European medical device guidance will require manufacturers to carefully review cybersecurity and IT security requirements in relation to their devices and in their product literature. This new guidance comes at the same time as a draft guidance on privacy by design has been published by the European Data Protection Board requiring product developers to implement privacy into the design of their products.
In December 2019, the Medical Device Coordination Group (MDCG) published its guidance on cybersecurity for medical devices (the Guidance). The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission. The Guidance is intended to assist medical device manufacturers meet the new cybersecurity requirements in the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR) (collectively, the Regulations). In particular, the Guidance aims to assist with regard to both the pre-market and post-market requirements of the Regulations to ensure companies achieve “an adequate balance between benefit and risk during all possible operation modes of a medical device.”
Some of the key takeaways from the Guidance include the following:
- Manufacturers should consider the cybersecurity requirements in accordance with the nature of the device. In particular, the Guidance requires manufacturers to design and manufacture a device in such a way that “ensures that the risks associated with reasonably foreseeable environmental conditions are removed or minimised.”
- The Guidance acknowledges that even though the Regulations impose legal obligations only on the manufacturer of the device, all other actors (e.g., suppliers, healthcare providers) involved in the provision of secured healthcare services have a responsibility to ensure a secured environment for the patient. Although, the Guidance also confirms that where a manufacturer contracts with a third party to integrate a device, all legal responsibilities (including under the Regulations and the EU General Data Protection Regulation (GDPR)) remain with the manufacturer.
- Safety, security and effectiveness are, according to the Guidance, “critical aspects in the design of security mechanisms” for medical devices. In turn, this should be considered by the manufacturer at an early stage in the development and manufacturing process, and then throughout the lifecycle. The Guidance includes a concept referred to a “secure by design” which closely aligns with the requirement of privacy by design under the GDPR.
- Under the Regulations, manufacturers must determine the minimum IT security requirements and communicate these to the user. The Guidance provides that where security measures cannot be implemented through the product design, it is the responsibility of the manufacturer to ensure these are implemented in the operating environment. An indicative list of these security measures is provided in the Guidance which includes, for example, aligning with GDPR requirements, use of access management, anti-virus and firewalls, data encryption and use of strong passwords.
- In terms of the information to provide to users, the Guidance states that these should include “IT security features/configurations (if applicable), and clear instructions for the IT security controls related to the operating environment, including product specifications, compatibilities, recommended IT security measures, IT environment configuration (e.g. traffic control), etc.”
- During the support lifetime of the device, the manufacturer should put in place a process to gather post-market information with respect to the security of the device. The manufacturer should evaluate the information collected and take appropriate measures to mitigate any risks.
- The Guidance confirms that at an EU level, the Network and Information Systems Directive 2016/1148 and the GDPR “might apply in parallel” to the Regulations.