The regulatory landscape for cybersecurity risk management in networked medical devices has developed rapidly and for many manufacturers the key challenges are:
Networked medical devices and other mobile health technologies have the potential to play a transformational role in healthcare yet they may also expose patients and health care organisations to safety and security risks.
Among the unintended consequences of increasing networked connectivity in medical devices and healthcare systems are the risks of being hacked, being infected with malware, and being vulnerable to unauthorized access.
While such scenarios may seem far-fetched, actual reported incidents and compelling FDA recalls data are highlighting very real problems for networked medical devices. Known vulnerabilities and the potential for intentional threats have culminated in the need to regulate cybersecurity risk management in such devices.
For the experienced medical device risk manager, a first key to understanding cybersecurity in the medical device context is to get to grips with the comparative terminology.
Whereas in ISO14971, hazards act through sequences of events to create hazardous situations with potential for injury or damage. In ISO27005, threats utilise vulnerabilities of information assets and may result in exploits that compromise systems or data leading to risks (potential harms).
The way forward to integrating management of cybersecurity risk is more obvious with recognition that the definition of HARM as managed through ISO14971 is extended to ‘physical injury or damage to the health of people, or damage to property or the environment or reduction in EFFECTIVENESS, or breach of DATA AND SYSTEM SECURITY.’
ISO 14971 risk management is a critical binding process in medical device development. It has long been established for most manufacturers that an integrated approach is essential across the device lifecycle and across ever more diverse device technologies, with management of cybersecurity risk the latest addition.
PA Consulting Group continues to lead in product compliance management and medical device design, and understands the true impacts of regulatory change.
To find out more about PA's medical device design and compliance related services, please contact us now.