1
Taiwan Food and Drug Administration Ministry of Health and WelfareTaiwan Food and Drug Administration Ministry of Health and Welfare
The Principle of Reviewing Medical Device Cybersecurity
Chun-Jen Chien
Technical Specialist
Division of Medical Devices and Cosmetics
2
Taiwan Food and Drug Administration Ministry of Health and Welfare
Outline
Introduction of the “Guidance for Medical Device Cybersecurity Applicable to Manufacturers”
The Principle of Reviewing Medical Device Cybersecurity
Conclusion
3
Taiwan Food and Drug Administration Ministry of Health and Welfare
Insecure Data Transfer and Storage
4
Taiwan Food and Drug Administration Ministry of Health and Welfare
Medical Device (MD) Cybersecurity
Scope
Applicable to the medical devices that contain software (including firmware) or programmable logic as well as software that is a medical device.
The guidance does NOT applicable for health care facilities, medical device operators, maintenance personnel, information system managers and integrators, etc.
Principle
Cybersecurity of medical device are associated with cyber conduct or data transmission.
Aim to prevents the unauthorized access, modification, misuse or rejectionwhich can diminish the function and harm to patients;
Medical device should avoid unauthorized access or transfer of data to external recipients.
2019.11Guidance for Medical Device Cybersecurity Applicable to Manufacturers
5
Taiwan Food and Drug Administration Ministry of Health and Welfare
Design
Verification &Validation
Pre market submission
Post market surveillance
Total product life cycle (TPLC)
Ch. I IntroductionCh. II BackgroundCh. III DefinitionsCh. IV Scope Ch. X References
Ch. VIII Post market Surveillance for CybersecurityCh. IX Remediating and Reporting Cybersecurity Vulnerabilities
Ch. V General PrinciplesCh. VI Cybersecurity Risk Management PrinciplesCh. VII Cybersecurity Functions
Medical Device Cybersecurity
6
Taiwan Food and Drug Administration Ministry of Health and Welfare
Comparison of Medical Device Cybersecurity
IMDRF Saudi Canada AustraliaUnited States
China Taiwan
Pre market FINAL(2020)
FINAL(2019)
FINAL(2019)
FINAL(2019)
FINAL(2014)
DRAFT(2018)
FINAL(2017)
FINAL(2019)
Post market
FINAL(2020)
FINAL(2019)
NFINAL(2019)
FINAL(2016)
N FINAL(2019)
Source:1. IMDRF, Principles and Practices for Medical Device Cybersecurity (March 2020)2. Saudi, SFDA: Guidance to Pre-Market Cybersecurity of Medical Devices (April 2019)3. Canada, Health Canada: Pre-market Requirements for Medical Device Cybersecurity (June 2019)4. Australia, TGA: Medical device cybersecurity guidance for industry (July 2019)5. United States, FDA (Draft): Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (October 2018)6. United States, FDA: Postmarket Management of Cybersecurity in Medical Devices (December 2016)7. China : 医疗器械网络安全注册技术审查指导原则(2017年)8. Taiwan:適用於製造廠之醫療器材網路安全指引(2019年11月)
7
Taiwan Food and Drug Administration Ministry of Health and Welfare
Principle of Reviewing MD Cybersecurity
Design Documentation
The manufacturers shall design the medical devices considering cyber threat in identification, protection, defection and recovery related cybersecurity core function architecture.
8
Taiwan Food and Drug Administration Ministry of Health and Welfare
Risk Management Documentation
1. Documentation that clearly describes cybersecurity threats and vulnerabilities, estimation of the associated risks, descriptions of the controls in place to mitigate those risks, and evidence to demonstrate that those controls have been adequately tested.
2. Manufacturers should consider risk controls that maximize device cybersecurity while not unduly affecting other safety controls.
3. Should be clear and use a cybersecurity risk management standard for guidance.
4. Comprehensive risk management documentation, such as a risk management report or security risk management report which should include any threat modeling, and identified cybersecurity threats.
Principle of Reviewing MD Cybersecurity
9
Taiwan Food and Drug Administration Ministry of Health and Welfare
Security Testing Documentation
Suggested and not limited to:
Malware Testing Malformed Input Testing
Structured Penetration Testing
Principle of Reviewing MD Cybersecurity
10
Taiwan Food and Drug Administration Ministry of Health and Welfare
TPLC Cybersecurity Management Planning Documentation
1. Manufacturers shall develop complete post-market cybersecurity risk assessment plan and documented records, including but not limited to grievance handling, quality audit, corrective and preventive actions, software validity and risk analysis, and after-sales services.
2. The cybersecurity management plan should include the source of cybersecurity information and monitoring by third-party software element to find out new vulnerability in the total product life cycle of devices;
Principle of Reviewing MD Cybersecurity
11
Taiwan Food and Drug Administration Ministry of Health and Welfare
Principle of Reviewing MD Cybersecurity
Product description Documentation
Descriptions of ALL design, maintenance and management functions of the product.
Lists of all external interfaces or physical input/output interfaces
(including remote interface, local interface, wireless transmission interface, external file input, and all communication protocols that support these interfaces)
A list of ALL executable programs and libraries, as well as descriptions of related software building and installation procedures.
Device instructions for use and product specifications related to recommended cybersecurity controls associate with the intended use environment.
12
Taiwan Food and Drug Administration Ministry of Health and Welfare
Conclusion
Better Public Health
Manufacturers should build a trustable and state of the art cybersecurity medical devices.
Reviewing includes design, risk management, security testing, TPLC cybersecurity management planning, product description .
Medical device products and cybersecurity guidelines should be continuously update.
Harmonize with international guidelines and standards.
13
Taiwan Food and Drug Administration Ministry of Health and WelfareTaiwan Food and Drug Administration Ministry of Health and Welfare
Thanks for your attention