For a while now, cybersecurity incidents in the healthcare sector have been increasing and can no longer be dismissed as random incidents, vandalism by script kiddies or collateral damage of general malware campaigns. The healthcare sector, specifically health delivery organizations and their supply chain, have become a prime target for cybercrime and cyberwar actors. Legislators and regulators are reacting, as usual, by creating new legislation, guidelines and requirements, but focusing on health delivery organizations as operators of medical IT-networks (critical infrastructure). As security is only ever as strong as its weakest link, this also impacts medical device manufacturers. While the “what” is being defined by the regulators, figuring out the “how” remains with the operators and manufacturers.
So far, guidance and standardization have focused on (cyber)risk management in general (e.g. AAMI TIR 57) and left manufacturers with a lack of technical standards on how to actually mitigate identified risks. This lack of support on the technology side made many manufacturers turn to other industries, leading e.g. the IEC 62443 family to become a de facto standard for cybersecurity across multiple domains. While these standards have garnered widespread acceptance (e.g. some parts are listed as FDA recognized consensus standards) they don’t necessarily meet all the requirements of the healthcare sector. In recognition of this situation, the ISO and IEC started work on several new standards addressing the issue.
As part of that effort, the IEC has recently published IEC TR 60601-4-5:2021 Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications.
The technical report reinforces the idea that security is a burden shared by the manufacturer and the operator of a medical device. It defines a scheme with which this burden can be assessed, documented and communicated between parties; it defines four security levels and a list of technical capabilities that need to be implemented by a medical device to reach a specific security level. The capabilities are based on those defined by IEC 62443-4-2:2019 (and IEC TR 80001-2-2:2012) and brought into alignment with the basic tenet of medical device development: patient safety.
As a member of the IEC 60601 standards family for electrical medical devices, it defines requirements to the medical device itself (product standard). But unlike the other standards in the family, the scope explicitly mentions that it can be applied to any medical device software, including SaMD.
The technical report's stated goal is to define testable security properties for a medical device; currently, no official test report form (TRF) exists. It is likely that one will be published in the near future, and that test labs will offer relevant tests.
The technical report is planned to be harmonized for the MDR.
For medical device manufacturers, the technical report thus provides guidance on how to address the security vs safety challenge when implementing the security mechanisms defined in IEC 62443-4-2:2019. It further helps assessing/attaining security levels of a device and identify the security measures external to the device to reach a specific target security level of an operator. It thus also defines information that needs to be provided to the operator for the secure use of the device. In that, it is expected to help the manufacturers meet the general safety and performance requirements (GSPR) 17.2, 17.4, 23.4 (ab) of the MDR.
Note that the report is essentially a wrapper around the IEC 62443-4-2:2019 standard, which is required reading for anyone trying to implement the security measures listed in the report. Also neither the report nor the standard go down to the “bits and bytes” level of engineering, which is left to the relevant technical standards or state-of-the-art knowledge of the engineer.
At the moment it is still too early to tell if the health delivery organizations/operators of medical IT-networks will apply a security-level scheme, as proposed by the IEC 60601-4-5 and IEC 62443-4-2 when purchasing medical devices. But with the relevant IEC and ISO committees collaborating on the topic, and the technical report being targeted for harmonization under the MDR, it seems likely that this might happen sooner or later.