Select Page

Medical Device Cybersecurity and Intellectual Property Protection for Life Sciences

Leverage our state-of-the-art cybersecurity to protect your MedTech, AI/ML and Software Intellectual Property
Need a trusted Healthcare Cybersecurity Partner?

Your trusted MedTech and Life Sciences cybersecurity partner

Voted the ‘Best Cybersecurity Company’ for three years running, our comprehensive portfolio of Cybersecurity Solutions and MedTech Advisory services ensure state-of-the-art cybersecurity and regulatory compliance across the globe and are tailored specifically for the unique needs of MedTech and Life Sciences companies.

MedTech Advisory Services

Ensure robust security capabilities, prepare for FDA and EU-MDR submissions, external audits and conformity assessments and address cybersecurity deficiencies.

Remedy by Irdeto – SBOM and Vulnerability Management

Leverage the best open-source security technologies to provide the most comprehensive solution for SBOM and Vulnerability Management with no vendor lock-in.

Keys & Credentials for MedTech

Rapidly implement full cryptographic capabilities and ensure the CIA of medical devices with our suite of managed PKI services. We’re an ISO-27001 certified provider.

Intellectual Property Protection

Keep your IP and secrets safe, and prevent adversarial attacks on your software, edge devices and cloud assets using our suite of software and AI/ML security tools.

What makes for an excellent Healthcare and Life Sciences cybersecurity partner?

Our Healthcare and Life Sciences cybersecurity team consists of highly qualified healthcare and product security experts, with an extensive global cybersecurity patent portfolio. Irdeto is an ISO 13485:2013 certified provider of cybersecurity products and services for Medical Device Manufacturers.

Infographic: The harmonization of medical device cybersecurity requirements

Get up to date with the medical device cybersecurity requirements for both the EU and the US market. The center of the infographic shows requirements applicable to both. The top half represents the pre-market stage and the lower half, the post-market. Numbers 1-8 along the bottom provide supporting information. Both market requirements are mostly harmonized regarding medical device cybersecurity.

medical_device_security_infographic

Frequently asked questions

How does cybersecurity factor throughout a medical device's product lifecycle?

Micro and Nanotechnologies, the nearly infinite expansion of software into everything and the almost zero cost of always on connectivity are leading enablers of innovation in the MedTech industry with massive potential benefit for society.

But these enabling technologies come with new risks: software has bugs, connectivity enables unwanted access and hardware can be programed to do things it wasn’t intended to do. In the heavily regulated medical device world, safety has also been the top consideration when developing a new medical device.

These new risks are not exactly safety risks in the traditional sense but rather security risks that impact safety and effectiveness. And so, in order to ensure the safety of patients and effectiveness of these new innovative devices, the medical regulatory bodies are expanding the required activities specific to cybersecurity, through the application of Security Risk Management.

This means that new or more substantive activities are required at each stage of the device lifecycle to ensure the secure design, operation and eventual decommissioning of all active medical devices. These activities include both process related items such as implementing a Security Risk Management Process, adopting a Secure Product Development Framework, conducting security risk and product security assessments as well as implementing technologies to serve as security controls and signal monitoring for new threats during the post-market stage of the product. 

What is a Secure Product Development Framework (SPDF)?

The implementation of a Secure Product Development Framework (SPDF) is now an essential activity for manufacturers of active medical devices. For many manufacturers the reality will be that adopting an SPDF is simply an incremental improvement effort to their existing Quality System Regulation (QSR) compliant design processes.

For those unfamiliar to the SPDF term, the SPDF is similar in concept to a Secure Software Development Framework (SSDF) but encompasses all of the product components in addition to the software elements and, where relevant, takes into account the broader medical system the device interacts with.

For manufacturers currently exploring what the newly required activities are, the FDA has identified the Health Sector Coordinating Council Joint Security Plan as an ideal starting point. This guidance advising the adoption of SPDF is further evidence of the regulatory push towards more advanced cybersecurity practices.

At operational level, an SPDF adds new processes into the premarket stages of the device lifecycle. Some of the key premarket activities are threat modeling from the initial concept stage, conducting product security risk assessments, specifying lifecycle security requirements, specifying security controls and evaluating the software supply chain and ensuring manufacturing processes are secure.

Many of the premarket activities can also be categorized as employing a ‘security-by-design’ approach. During the qualification stage these activities include security testing in addition to traditional verification and validation.

In the post-market, activities include continuous monitoring for vulnerabilities and threats, ensuring robust patch management, ensuring processes for incident management and response and support for end of life. An all-encompassing approach that involves various stakeholders will provide a more robust defense against potential cyber risks.

What is Security-By-Design?

Security-by-design in medical devices is a proactive approach to applying security principles into the product design. It means considering potential threats, vulnerabilities, and security controls from the onset. The approach helps the design team make use of the best technology without compromising security and eliminates the risk of having to implement major revisions when approaching pre-market submission.

Regarded as industry best practice, it is increasingly being advocated by regulatory authorities, including the FDA. 

Where does the concept of ‘state-of-the-art' come from and what does it mean?

The concept of ‘state-of-the-art’, as used in the context of the European Union’s Medical Device Regulation (EU MDR), encapsulates the concept of building products capable of ongoing technological improvement using the most current development standards and the best practices in the industry.

Medical devices, which usually possess a longer lifespan compared to various other technologies, are expected to uphold the most current and effective practices. Even if these practices are not explicitly mandated, their implementation may be thoroughly examined by authorities.

What are the main cybersecurity medical device requirements that I should know of?

In the MedTech device segment, market access is governed by legislation that establishes both regulatory agencies and schemes to ensure the safety and effectiveness of the devices.

In the United States, the Food and Drug Administration is the government agency which defines the policy and requirements, while in the European Union (EU) the EU council has developed a more federated scheme using the Conformity Assessment (CE Mark) approach through the Medical Device Regulation (MDR-2017) and the Competent Authority/Notified Body system.

While both large markets have different regulatory pathways, many of the activities relating to cybersecurity are quite similar and will continue to be harmonized over time through the evolution of ‘state-of-the-art’ practices and the efforts of industry bodies like the International Medical Device Regulators Forum (IMDRF).

With such significant regulatory complexity, there is no simple list of requirements that clearly lays out everything that must be done. Rather, there are different types of documents that define the cybersecurity standards (AAMI SW 96, UL-2900), guidance documents (FDA Premarket Submissions/IMDRF WG 60/MDCG 2019-16), legislation pertaining to data usage and protection, the application of risk management and medical device specific software development standards.

The US and EU markets are governed at their highest levels by the following regulations: 

  • The EU market: Medical Device Regulation of 2017 and Invitro Diagnostics Regulation of 2018 
  • The US market: Code of Federal Regulations Title 21 FDA 

Both markets are, however, advancing toward unified standardization, led by state-of-the-art practices and industry bodies.  

What is ISO 13485 and how does it impact the development of medical devices?

ISO 13485 is an internationally recognized standard for quality management systems in the medical device industry. It is used by organizations involved in the design, production, installation and servicing of medical devices and related services. The standard is used by internal auditors and external parties, such as certification bodies, to determine conformance. In addition, obtaining ISO 13485 certification is often seen as a mark of quality assurance, making it a key requirement for many customers and vendors.

What are the responsibilities of the Health Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) for maintaining secure devices?

Both Health Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) share responsibility for medical device security. HDOs are accountable for maintaining secure networks, implementing patches, and ensuring device operation within a secure environment.

On the other hand, MDMs are obligated to ensure they produce and sell secure devices, regularly monitor and manage vulnerabilities and maintain security throughout the device lifecycle.

The industry has also developed a Joint Security Plan to help better define the stakeholder responsibilities. 

Speak to your trusted Healthcare Cybersecurity Partner now!