By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage emerging cybersecurity risks, manufacturers can reduce cybersecurity risks posed to devices and patients.
The medical device manufacturer is responsible for the validation of all software design changes.
Off-The-Shelf Software (OTS Software) is a generally available software component, used by a medical device manufacturer for which the manufacturer cannot claim complete software life cycle control. Commercial Off-The-Shelf Software (COTS Software) comes from a commercial supplier.
Medical device manufacturers using an OTS software, bear responsibility for the security as well as the safe and effective performance of the medical device.
Existing regulations are largely for software that is embedded in dedicated hardware medical devices, with emphasis on physical harm, transmission of energy and/or substances to or from the body, the degree of invasiveness to the body, closeness to sensitive organs, duration of use, diseases, processes and public health risk, competence of user and effect on population due to communicable diseases.
Today however, medical device software is often able to attain its intended medical purpose independent of hardware medical devices, when deployed in diverse care settings, on a multitude of technology platforms (personal
computers, smart phones, and in the cloud) that are easily accessible.
SaMD are typically connected to the Internet, networks, databases, or servers with varying information security requirements, which results in emergent behaviors not usually seen in hardware medical devices and introduces new and unique challenges:
- Medical device software might behave differently when deployed to different hardware platforms.
- Often, an update made available by the manufacturer is left to the user of the medical device software to install.
The SaMD information security and privacy control requirements, must be balanced with the need for timely information availability by identifying and implementing safe ways to store, convert and/or transmit data.