Medical Device Safety and Security: Obvious but not easy to achieve
With accelerating technology innovation, medical devices are becoming more sophisticated and more connected. Consequently, as in most mission-critical systems, safety and security are two increasingly vital requirements in medical device design. In April 2018, the U.S. Food & Drug Administration (FDA) announced plans to increase regulatory powers over medical device safety, including cybersecurity. This paper will explore challenges around safety and security requirements related to medical devices, as well as specific measures to deal with these challenges.
Safety and security may sound like two simple words, but these two factors are essential requirements for mission-critical systems such as medical devices. Taking care of these two “simple words” in an embedded system is a lot more complex and involves more effort than what most people would think. In today’s world, device manufacturers have a larger role—as an integrator of various technologies—than an engineering house that builds everything from scratch. The adequacy of safety and security needs to be gauged for specific components in the system and the end applications.
The U.S. Food and Drug Administration (FDA) regulates over 190,000 different devices manufactured by more than 18,000 firms in more than 21,000 medical device facilities worldwide. Recent changes made by the FDA have brought software to the forefront of medical device regulation. As connectivity becomes a standard feature for medical devices, security requirements are also surfacing. The FDA’s recent activities reflect the market’s awareness of the lurking risks. The FDA requires device makers to have a clear inventory of the software used in the device through a “Software Bill of Materials” (SBOM) which would include software developed by the device makers as well as that obtained Off-The-Shelf (OTS software). The plan puts emphasis on security as it considers cybersecurity testing to be the responsibility of the medical product manufacturer. It also clarifies that the medical device manufacturer will choose what software to use, thus bearing responsibility for the security as well as the safe and effective performance of the medical device. This puts a huge burden on medical device companies to not only add mission-critical security to their products, but also manage lifecycle security over the life of the device in the field.
For more insights, read the “Medical Device Safety and Security: Obvious but not easy to achieve” white paper written by Yi Zheng, Product Manager at QNX Software Systems.