The industry group that set forth the new work item for a globally harmonized approach to medical device cybersecurity, which is currently under development, released a new white paper that provides an overview of best cybersecurity practices in medical technology manufacturing.
The new white paper is intended to increase a manufacturer’s level of cybersecurity sophistication in manufacturing and engineering processes by following seven principles. These include segmenting networks, understanding data types and flows, hardening devices, monitoring devices and systems, user management, updating devices and providing a recovery plan-escalation process. For each principle, the paper provides information on the identification of threats, recommendations for manufacturers to incorporate as well as relevant reference documents, including the appropriate consensus standards.
The document speaks to a recently reimagined approach to worldwide cybersecurity as medical devices become increasingly connected, presenting new challenges with potential cyber incidents and threats to patient safety.
The “many risks that can be expected” range from “infection of new products with malicious software during production” to “leak of product software certificates,” according to DITTA’s white paper
Last September, the International Medical Device Regulators Forum (IMDRF) approved
its new work item (NWI) on cybersecurity that the Global Diagnostic Imaging, Healthcare IT & Radiation Therapy Trade Association (DITTA) developed. DITTA proposed
the NWI at an IMDRF management committee meeting earlier that month and called for members from the US Food and Drug Administration (FDA) and Health Canada to lead the regulatory harmonization efforts on cybersecurity. The committee agreed and set FDA and Health Canada as co-chairs of the NWI, which took shape earlier this week on IMDRF’s website
The NWI seeks to “promote a globally harmonized approach to medical device cybersecurity that at a fundamental level ensures the safety and performance of medical devices while encouraging innovation,” IMDRF wrote. It is “thus intended to provide medical device cybersecurity guidance for stakeholders across the device lifecycle.” As part of the NWI, FDA and Health Canada are now charged with developing a new IMDRF technical document to provide harmonized guidance on key cybersecurity terminologies as well as promote information-sharing and cybersecurity as a shared responsibility.
Meanwhile, FDA released
its updated premarket cybersecurity draft guidance last October. Health Canada issued
its own draft guidance on premarket cybersecurity shortly thereafter. The two documents share a lot in common, including the push for a total lifecycle approach.
Representing the Medical Imaging Technology Association (MITA), Canada’s MEDEC and several other global trade associations, DITTA noted in its white paper that it “believes that the number of cybersecurity requirements within the medical technology manufacturing facility and engineering processes will increase along with product quality demanded by global regulatory requirements.”
Working group membership has yet to be determined for the development of IMDRF’s medical device cybersecurity guide. DITTA, however, has served in various other IMDRF work items throughout the years, including on software as a medical device. DITTA is now set to participate in China’s first NWI proposal on clinical evaluation, which received approval
last year. The initial information on the NWI for a harmonized approach to clinical evaluation was posted
this week as well.