France Drafts Medical Device Cybersecurity Recommendations
Posted 23 July 2019 | By
France’s National Agency for the Safety of Medicines and Health Products (ANSM) has developed draft recommendations on the cybersecurity of medical devices.
ANSM developed the draft recommendations to help minimize the risk of a cyberattack in medical devices integrating software (MDIS) in early development and throughout the total product lifecycle (TPLC). Its guideline will implement best practices and appropriate standards to address the inconsistent culture of cybersecurity among device manufacturers, ANSM says.
The draft recommendations recognize the evolving cybersecurity landscape in the increasingly connected world of medical devices. As such, ANSM says they merely “set out the key principles without expanding on the technical details, which would otherwise quickly render this document obsolete given the rate at which both medical devices and attacks can develop.”
ANSM also seeks alignment with the EU’s medical device and in vitro
diagnostic regulations (MDR/IVDR) as these introduce general safety and performance requirements, including MDIS-specific requirements. MDR and IVDR “pave the way for the introduction of a new approach to risk management and system security on the part of manufacturers,” ANSM notes.
With MDR entering into force on 26 May 2020 as the first CE-marking legislation to introduce security requirements, the guideline clarifies the conceptual difference between safety versus security. “The key difference between safety and security lies in the nature of the faults envisaged,” it states. It stresses that a device’s medical safety “is an absolute prerequisite” throughout its TPLC, regardless of the safety and security measures that are introduced. The inclusion of security recommendations should thus be in addition to those on safety and quality.
As examples of the growing need for a TPLC approach to cybersecurity, ANSM points to Johnson & Johnson’s market withdrawal
of the Animas OneTouch Ping after vulnerabilities were detected
in the insulin pump system’s cybersecurity in October 2016 and the cybersecurity vulnerabilities detected in six models of Abbott’s pacemakers last August that led to the first-ever US Food and Drug Administration (FDA) recall
of a medical device due to cyber risk.
The guideline addresses the TPLC approach by separating the draft recommendations for all MDIS into five areas of the software lifecycle—design, development, first use, monitoring and end of life—for use in premarket settings, during product distribution or in post-market settings.
ANSM opened the guideline—a product of a 2017 cybersecurity committee
—for consultation until 30 September. The move follows on the heels of recommendations that the European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry offered
in March for a harmonized approach to cybersecurity, underscoring the emerging trend of TPLC.
The guideline marks “the first time in Europe that recommendations in this area have been developed and the ANSM has shared its work with the European Commission so that the regulations evolve to integrate it,” ANSM says. But the efforts coincide with the premarket cybersecurity push among members of the International Medical Device Regulators Forum via updated or new guidance. Health Canada finalized
its guidance last month, followed
by Australia's Therapeutic Goods Administration earlier this month. FDA’s has yet to be finalized