Using the IEC 81001-5-1 Cybersecurity Controls in an SPDF for Health Software and Medical Devices
With the latest FDA Pre-Market Guidance a Secure Product Development Framework is required.
This article explores the integration of IEC 81001-5-1 cybersecurity controls within Secure Product Development Frameworks (SPDF) for health software and medical devices, emphasizing the importance of comprehensive security measures from design to post-market surveillance.
- Cybersecurity, Medtech, QMS, Software Development, Penetration Testing
- Ongoing/Undisclosed
- March-2024
Challenge
When working on medical device and health software projects without a guiding process, documentation often becomes cluttered with standard requirements and explanations why the software was design in certain way and how this satisfies regultory requirements.
Woudin’t it be better, to just refer to the medical manufacturers QMS saying it has latest cybersecurity guidance built in? In addition, renewing an ISO 13485 certificate may raise the same question from notified bodies, if software is part of your devices or used as standalone systems in health products.
Solution
Achieving compliance for cybersecurity in medtech can be improved by seperating QMS and development process concerns from project documentation. Reviewers, auditors, and customers will always be abel to challenge a process when reading product documentation. However, if your process is crafted according to latest guidance and state-of-the-art frameworks, the effort of updating the software development process and integrating it into teh QMS is well worth it. In the following we present options gathered from a recent case we worked on.
Integrating cybersecurity controls into health software and medical devices is crucial for ensuring patient safety and data integrity. The IEC 81001-5-1 standard provides a comprehensive framework for implementing these controls within a Secure Product Development Framework (SPDF).
Cybersecurity in the V-model
The V-model is a well-established framework in system development, and integrating cybersecurity into this model ensures that security is considered at every stage. This approach helps in identifying and mitigating potential security risks early in the development process, leading to more robust and secure systems.
Secure Product Development Frameworks (SPDF)
Selecting an SPDF
Choosing the right Secure Product Development Framework (SPDF) is crucial for ensuring the security of medical devices. Alternatives like the Health Sector Council JSP 2.0 provide valuable guidelines and best practices for implementing secure development processes. IEC 81001-5-1 Cybersecurity Controls in an SPDF
Relationship Between IEC 62304 and IEC 81001-5-1
IEC 81001-5-1 outlines cybersecurity controls that can be integrated into an SPDF. It details how cybersecurity should be addressed in each process step of IEC 62304, which focuses on the software lifecycle for medical devices. Although IEC 81001-5-1 does not rely on IEC 62304, it is recommended for medical devices as it assumes a basic SDLC framework.
EU Law and MDCG Guidance
The European Union’s Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) set stringent requirements for the cybersecurity of medical devices. The Medical Device Coordination Group (MDCG) provides additional guidance through documents like MDCG 2019-16 Rev.1, which outlines cybersecurity requirements for medical devices. This guidance emphasizes the importance of incorporating cybersecurity measures throughout the product lifecycle, from design to post-market surveillance.
Structuring the SPDF
When structuring an SPDF, it’s essential to consider various standards and guidelines. The JSP framework provides a structured approach to integrating cybersecurity into product development, ensuring that all aspects of security are addressed comprehensively.
Cybersecurity Risk Management
Managing cybersecurity risks goes beyond ISO 14971 and AAMI TIR 57. It involves evaluating patient harm related to cybersecurity threats, implementing risk mitigations, and conducting threat modeling. Techniques like STRIDE or TARA (Threat Assessment and Risk Analysis) and CVSS 3.0 scoring are essential for assessing the exploitability of weaknesses and prioritizing security efforts.
Cybersecurity Architecture and Design
Enhancing software architecture with security-specific views and use cases is crucial for building secure systems. Implementing a defense-in- depth strategy, which includes new software classifications like “maintained,” “supported,” and “required,” helps in risk transfer and ensures comprehensive security coverage.
Verifying and Validating Security
Security verification and validation are critical components of the development process. This includes enhanced software verification with security testing based on explicit requirements and exploratory methods. Penetration testing becomes a standard and mandatory practice, especially for FDA submissions, where original test reports are required. Ensuring the independence of testers and addressing conflicts of interest are also vital for maintaining the integrity of security assessments.
Post Market Surveillance
Post-market surveillance involves continuous monitoring of vulnerabilities and ensuring timely patches and updates. For critical issues, patches should be applied within 30 to 60 days. Reporting and vigilance are essential for maintaining the security of medical devices throughout their lifecycle.
Results
To apply the SPDF successfully in a project for digital health and submitting the documented system to the FDA for clearance is the ultimate test for success. Within the case, sensaco’s contributions included a tailored CSMP, documentation updates accross the software lifecycle, e.g. adding security architecture views, and a painstaking review of the eSTAR file.
Cybersecurity Management Plan (CSMP)
A Cybersecurity Management Plan (CSMP) is essential for managing cybersecurity risks in medical devices. The CSMP should include:
1. Risk Assessment: Identifying and evaluating potential cybersecurity threats and vulnerabilities.
2. Incident Response: Establishing procedures for detecting, responding to, and recovering from cybersecurity incidents.
3. Communication Plan: Defining strategies for internal and external communication during a cybersecurity event.
4. Training and Awareness: Ensuring that all stakeholders are aware of cybersecurity policies and procedures.
5. Continuous Monitoring: Regularly monitoring and updating the CSMP to address new threats and vulnerabilities.
Finding and adressing vulnerabilities
Vulnerability handling is on eof the most inspected section of the CSMP.
Finding vulnerabilities is performed via coordinated vulnerability disclosure, by inviting external sources such as security researchers, to submit security issues and by searchiong through vulnerability databases (NVD and similar) with your projects’ SBOMs as inputs.
Once vulnerabilities of relevance are put through mitigation and remediation processes, they need to be fed back to finders, customers and other stakeholders. Nota bene, CVEs discovered may be registered early by the finder but with a the timeline from the CSMP and grace periods, the products requiring medical device security can be remediated and documented in time.
The framework and many helpful details are laid out in the ISO 29147 and ISO 30111 standards. We recommend strongly to integrate these product-related activties into your existing or upcoming ISO 27001 compliance on the operative side. All communication activities, e.g. securely receipt of vulnerability reports, are needed for business applications as well.
FDA Submissions Using eSTAR
The FDA’s eSTAR program streamlines the submission process for medical devices, ensuring that all necessary documents are structured and compliant with regulatory requirements. This includes structuring a Cybersecurity Management Plan (CSMP) and adhering to other cybersecurity standards and laws, such as NIST CSF 2.0 and ISO 27001. Standards like UL 2900-1 and 2900-2-1, along with AAMI TIR 97 and the upcoming AAMI SW96, provide additional guidance for medical device cybersecurity and post-market management.
By integrating these elements into your development process, you can ensure that your medical devices are secure, compliant, and ready for market.
