As medical devices become more digitally interconnected and interoperable, they can improve the care patients receive and create efficiencies in the health care system.
However, medical devices, like computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.
By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage emerging cybersecurity risks, manufacturers can reduce cybersecurity risks posed to devices and patients.
Medical device manufacturers must comply with quality system regulations (QSRs), which require that all risks, including cybersecurity vulnerabilities risk, are addressed.
The medical device manufacturer is responsible for the validation of all software design changes.
Off-The-Shelf Software (OTS Software) is a generally available software component, used by a medical device manufacturer for which the manufacturer cannot claim complete software life cycle control. Commercial Off-The-Shelf Software (COTS Software) comes from a commercial supplier.
Medical device manufacturers using an OTS software, bear responsibility for the security as well as the safe and effective performance of the medical device.
There are three types of software related to medical devices:
- Software in a medical device (SiMD)
- Software used in the manufacture or maintenance of a medical device
- Software as medical device (SaMD)
The term Software as a Medical Device is defined by the International Medical Device Regulators Forum (IMDRF) as
“software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.”
Mobile medical applications (MMA) that meet the definition above are considered SaMD.
Existing regulations are largely for software that is embedded in dedicated hardware medical devices, with emphasis on physical harm, transmission of energy and/or substances to or from the body, the degree of invasiveness to the body, closeness to sensitive organs, duration of use, diseases, processes and public health risk, competence of user and effect on population due to communicable diseases.
Today however, medical device software is often able to attain its intended medical purpose independent of hardware medical devices, when deployed in diverse care settings, on a multitude of technology platforms (personal
computers, smart phones, and in the cloud) that are easily accessible.
SaMD are typically connected to the Internet, networks, databases, or servers with varying information security requirements, which results in emergent behaviors not usually seen in hardware medical devices and introduces new and unique challenges:
- Medical device software might behave differently when deployed to different hardware platforms.
- Often, an update made available by the manufacturer is left to the user of the medical device software to install.
The SaMD information security and privacy control requirements, must be balanced with the need for timely information availability by identifying and implementing safe ways to store, convert and/or transmit data.