Intertek's Assurance in Action Podcast Network
Intertek's Assurance in Action Podcast Network
Managing Cybersecurity Risks in Medical Devices
This episode covers the growing importance of managing cybersecurity risks in medical devices under the EU Medical Device Regulation (MDR). Key topics include integrating cybersecurity into device design, maintaining security throughout the device lifecycle, and best practices for manufacturers to stay compliant and safeguard patient safety.
Speakers:
- Susanna Al Halabi- Regulatory Lead of Notified Body - Medical Devices, MDD
Follow us on- Intertek's Assurance In Action || Twitter || LinkedIn.
Managing Cybersecurity Risks in Medical Devices
Natalia Farina: Hello and welcome to Intertek’s Assurance in Action podcast!
My name is Natalia Farina, I’m the Global Marketing Manager for Business Assurance with Intertek, and I’ll be your host for this episode.
Today we’re diving into a critical topic: managing cybersecurity risks in medical devices, especially in light of the EU Medical Device Regulations, or MDR. With us is our regulatory lead, Susanna Al Halabi, who has extensive experience in medical devices regulations. Welcome, Susanna!
Susanna Al Halabi: Thanks for having me, Natalia. It’s great to be here!
Natalia Farina: To kick things off, can you explain why cybersecurity has become such a pressing issue for medical device manufacturers in recent years?
Susanna Al Halabi: Absolutely. As digital transformation has connected more devices, the potential attack surface has increased significantly. Medical devices that were once standalone are now interconnected, making them vulnerable to cyber threats. A breach could compromise patient safety, confidentiality, and data integrity. The MDR addresses this by setting stringent requirements for cybersecurity throughout a device's lifecycle.
Natalia Farina: That leads us to the new cybersecurity requirements under the MDR, which came into effect in May 2021. Can you break down some of the key obligations that manufacturers now face?
Susanna Al Halabi: Sure! The MDR mandates that cybersecurity be integrated into the design and development of medical devices right from the start. This includes practices like threat modeling, secure coding, and regular security assessments. Manufacturers must also comply with relevant standards, such as ISO/IEC 27001, to ensure that robust cybersecurity measures are in place.
Natalia Farina: So, it’s not just about having security measures; it’s about making them part of the foundation of the device itself.
Susanna Al Halabi: Exactly! And it doesn’t stop there. Manufacturers are also required to manage cybersecurity risks throughout the device’s entire lifecycle—from conception to disposal. This means staying vigilant and proactive as new vulnerabilities are discovered.
Natalia Farina: What role does information provision play in this process?
Susanna Al Halabi: Information provision is crucial. Manufacturers must include clear instructions about cybersecurity risks and how to mitigate them in their user documentation. This empowers users to operate devices correctly and respond effectively to potential security issues.
Natalia Farina: That’s a great point. Users need to be informed. Now, let’s talk about lifecycle maintenance. What responsibilities do manufacturers have in keeping their devices secure over time?
Susanna Al Halabi: Manufacturers are responsible for keeping devices updated and secure throughout their lifecycle. This includes deploying security patches and updates to address new threats. Effective update mechanisms are essential for maintaining the security of connected medical devices long after they’re launched.
Natalia Farina: And what about the Medical Device Coordination Group's guidance on cybersecurity?
Susanna Al Halabi: The MDCG outlines General Safety and Performance Requirements related to cybersecurity in the MDR Annex I. Manufacturers are encouraged to consider the state of the art in cybersecurity practices when designing and updating their devices. This means they need to continuously evaluate and implement measures that are in proportion to the risks they face.
Natalia Farina: It sounds like a comprehensive approach. With such strict requirements, what challenges do manufacturers typically encounter when trying to comply?
Susanna Al Halabi: One of the biggest challenges is integrating cybersecurity into existing workflows and processes. Many manufacturers may not have the expertise or resources in-house to address these complex requirements. Additionally, keeping pace with evolving cyber threats while ensuring compliance can be overwhelming.
Natalia Farina: Are there any best practices you would recommend for manufacturers navigating these challenges?
Susanna Al Halabi: Definitely! First, investing in training and education for staff is vital. Building cross-functional teams that include cybersecurity experts, engineers, and compliance professionals can help. Also, regularly conducting risk assessments and keeping an eye on emerging threats will help manufacturers stay ahead of the curve.
Natalia Farina: Great advice! Before we wrap up, what should manufacturers do if they need support on MDR compliance?
Susanna Al Halabi: The best would be to invest and strengthen the in-inhouse capacity and resources of people with Regulatory expertise and the Manufactures may also reach out to specialized consultancy firms and seek expert advice that can help in navigating compliance effectively. Once they reach the readiness of the compliance, they are welcome to reach out to the Intertek Medical Notified Body to get started with their certification journey.
Natalia Farina: Thank you, Susanna, for shedding light on such an important topic today. It’s clear that managing cybersecurity risks in medical devices is not just a regulatory obligation, but a crucial aspect of patient safety.
Susanna Al Halabi: Thank you for having me, Natalia.
Natalia Farina: Thank you to our listeners for tuning in to this episode. If you’re looking for support on your journey toward MDR compliance, reach out to our team of experts at Intertek Medical Notified Body at imnb@intertek.com. Until next time, stay safe and informed!