The Principle of Reviewing Medical Device Cybersecurityand state of the art cybersecurity medical devices. Reviewing includes design, risk management, security testing, TPLC cybersecurity

1

Taiwan Food and Drug Administration Ministry of Health and WelfareTaiwan Food and Drug Administration Ministry of Health and Welfare

The Principle of Reviewing Medical Device Cybersecurity

Chun-Jen Chien

Technical Specialist

Division of Medical Devices and Cosmetics

2

Taiwan Food and Drug Administration Ministry of Health and Welfare

Outline

Introduction of the “Guidance for Medical Device Cybersecurity Applicable to Manufacturers”

The Principle of Reviewing Medical Device Cybersecurity

Conclusion

3


Insecure Data Transfer and Storage

4


Medical Device (MD) Cybersecurity

Scope

Applicable to the medical devices that contain software (including firmware) or programmable logic as well as software that is a medical device.

The guidance does NOT applicable for health care facilities, medical device operators, maintenance personnel, information system managers and integrators, etc.

Principle

Cybersecurity of medical device are associated with cyber conduct or data transmission.

Aim to prevents the unauthorized access, modification, misuse or rejectionwhich can diminish the function and harm to patients;

Medical device should avoid unauthorized access or transfer of data to external recipients.

2019.11Guidance for Medical Device Cybersecurity Applicable to Manufacturers

5


Design

Verification &Validation

Pre market submission

Post market surveillance

Total product life cycle (TPLC)

Ch. I IntroductionCh. II BackgroundCh. III DefinitionsCh. IV Scope Ch. X References

Ch. VIII Post market Surveillance for CybersecurityCh. IX Remediating and Reporting Cybersecurity Vulnerabilities

Ch. V General PrinciplesCh. VI Cybersecurity Risk Management PrinciplesCh. VII Cybersecurity Functions

Medical Device Cybersecurity

6


Comparison of Medical Device Cybersecurity

IMDRF Saudi Canada AustraliaUnited States

China Taiwan

Pre market FINAL(2020)

FINAL(2019)

FINAL(2019)

FINAL(2019)

FINAL(2014)

DRAFT(2018)

FINAL(2017)

FINAL(2019)

Post market

FINAL(2020)

FINAL(2019)

NFINAL(2019)

FINAL(2016)

N FINAL(2019)

Source:1. IMDRF, Principles and Practices for Medical Device Cybersecurity (March 2020)2. Saudi, SFDA: Guidance to Pre-Market Cybersecurity of Medical Devices (April 2019)3. Canada, Health Canada: Pre-market Requirements for Medical Device Cybersecurity (June 2019)4. Australia, TGA: Medical device cybersecurity guidance for industry (July 2019)5. United States, FDA (Draft): Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (October 2018)6. United States, FDA: Postmarket Management of Cybersecurity in Medical Devices (December 2016)7. China : 医疗器械网络安全注册技术审查指导原则(2017年)8. Taiwan:適用於製造廠之醫療器材網路安全指引(2019年11月)

7


Principle of Reviewing MD Cybersecurity

Design Documentation

The manufacturers shall design the medical devices considering cyber threat in identification, protection, defection and recovery related cybersecurity core function architecture.

8


Risk Management Documentation

1. Documentation that clearly describes cybersecurity threats and vulnerabilities, estimation of the associated risks, descriptions of the controls in place to mitigate those risks, and evidence to demonstrate that those controls have been adequately tested.

2. Manufacturers should consider risk controls that maximize device cybersecurity while not unduly affecting other safety controls.

3. Should be clear and use a cybersecurity risk management standard for guidance.

4. Comprehensive risk management documentation, such as a risk management report or security risk management report which should include any threat modeling, and identified cybersecurity threats.


9


Security Testing Documentation

Suggested and not limited to:

Malware Testing Malformed Input Testing

Structured Penetration Testing


10


TPLC Cybersecurity Management Planning Documentation

1. Manufacturers shall develop complete post-market cybersecurity risk assessment plan and documented records, including but not limited to grievance handling, quality audit, corrective and preventive actions, software validity and risk analysis, and after-sales services.

2. The cybersecurity management plan should include the source of cybersecurity information and monitoring by third-party software element to find out new vulnerability in the total product life cycle of devices;


11



Product description Documentation

Descriptions of ALL design, maintenance and management functions of the product.

Lists of all external interfaces or physical input/output interfaces

(including remote interface, local interface, wireless transmission interface, external file input, and all communication protocols that support these interfaces)

A list of ALL executable programs and libraries, as well as descriptions of related software building and installation procedures.

Device instructions for use and product specifications related to recommended cybersecurity controls associate with the intended use environment.

12


Conclusion

Better Public Health

Manufacturers should build a trustable and state of the art cybersecurity medical devices.

Reviewing includes design, risk management, security testing, TPLC cybersecurity management planning, product description .

Medical device products and cybersecurity guidelines should be continuously update.

Harmonize with international guidelines and standards.

13

Taiwan Food and Drug Administration Ministry of Health and WelfareTaiwan Food and Drug Administration Ministry of Health and Welfare

Thanks for your attention

Documents

The Principle of Reviewing Medical Device Cybersecurityand state of the art cybersecurity medical devices. Reviewing includes design, risk management, security testing, TPLC cybersecurity