The use of medical devices and the desired benefits, for example in diagnosis and treatment of diseases, is also associated with risks for the patient and the user (physician or patient himself). Such risks should be kept as low as possible compared to the benefits of the medical device. Therefore, you as manufacturer shall:
- identify, analyze and evaluate these risks,
- try as far as possible to prevent the potential harm caused by the risks and
- monitor whether these risk prevention measures are effective.
However, with new technology development also the associated risks are changing. Risks are getting more complex or new kinds of risks may occur. For example, increasing networking of medical devices has also led to additional risks related to cybersecurity (short: security), which can also lead to harm for patients. Thus, it is time for you to expand the risk management of medical devices according to ISO 14971!
Broadening the Focus of Risk Management in the EU MDR
With the new EU MDR risk management remains a central task of the manufacturer (Art. 10 (2)). However, the general requirements for risk management are defined much more precisely in Annex I 3-4. These include:
- the preparation of a risk management plan for each medical device,
- the identification and analysis of all risks and dangers arising therefrom, resulting from the intended and not intended use,
- the elimination or at least control of the identified risks, and
- the consideration of information available from production and market for the ongoing adaptation of risk management throughout the product life cycle.
The explicit requirements for embedded and stand-alone software including the associated risks are new (Annex I 14.2. (d) and 17.1-17.4). For example, Annex I 17.4 states that the manufacturer shall set out the “minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorized access.” In comparison, the EU MDD already contained requirements for software, but without explicitly mentioning security.
Expanding the Traditional Understanding of Risk Management
Manufacturers of medical devices commonly implement ISO 14971 to comply with the regulatory requirements for a risk management process. How does the currently developed edition 3 of ISO 14971 deal with new risks?
First, ISO 14971 (Ed. 3) broadens the scope to data and systems security: “[…] The requirements of this document are applicable to all stages of the life-cycle of a medical device. The process described in this document applies to risks associated with a medical device, such as for example those related to biocompatibility, data and systems security, electricity, moving parts, radiation, usability, and other risks […]”.
Second, ISO 14971 (Ed. 3) changes the definition of harm. By removing (!) the word “physical” in the definition, the view is expanded. Harm as “injury or damage to the health of people, or damage to property or the environment” embraces now also non-physical harm like mental damage (take e.g. wrong diagnosis into account!) which could result from a malfunctioning of a medical device.
Damage to Property or the Environment
The definition of “harm” does not end with the words “health of people”. Also to be considered are “damage to property or the environment”.
This part of the definition is not changed, but it links to security considerations.
Though it is questionable if one can “possess” data (especially in German law), without doubt a security breach can cause harm. Imagine the value of your personal health data and what may happen if such confidential data is made available to the public.
The risk of harm is always present, and a perfect medical device with only benefits and without any residual risks is far from reality. But with new threats emerging, like cyber attacks, it’s time to extend risk management to both safety and security. Therefore, you should consider the risks from each area separately and also their interaction sufficiently in your risk management process.
We recommend you examining your current risk management process in accordance with the previously mentioned developments and act as applicable:
- Enhance your current risk management process. As manufacturer of medical devices, you are certainly running an established risk management process that mainly focuses on safety. Embrace also security considerations in this process!
- Consider that safety and security may be correlated. A lack in security may allow unauthorized access to a device leading to the ability to control device function. As an example, imagine an infusion pump with a changed drug-rate leading to severe injury. In this case medical device safety and security are correlated!
- Consider that safety and security may not be correlated. A lack in security may allow unauthorized access to a device leading to access to data, stored in the device. As an example: if an attacker copies sensitive patient data and makes this data available (sell it) to the public, the function of the device itself it not impaired. Safety and security are not correlated! But without a doubt, this is a non-physical harm for the patient.
- Add malicious intent to the considerations for your risk management. When dealing with safety risks this is done by considering the intended purpose of the device. Using the device with malicious intent, trying to harm the patient on purpose, is outside these considerations. But risk management considering IT-security requires considering an adversary that is evil. He or she wants to access your device, i.e. the information contained in the device, not necessarily to directly harm a patient, but to breach CIA (Confidentiality, Integrity, Availability).
- Perform risk management in a proactive way. It may be useful to determine the security-status quo of your device, e.g. by performing intrusive testing. However, as mentioned, this is only the status quo. To be one step ahead, security issues must be analyzed in advance. Thus, you should assess vulnerabilities and threats and you should find and implement countermeasures.