Medical Device Cybersecurity

In medical devices, risk management is expected to be an ongoing activity, which is considered, controlled and documented across all phases in the life of a product, from the initial conception to development and testing, market authorization, post-market use, and through to end-of-life and retirement. 

When cybersecurity risk is not effectively managed throughout the life of the device, it can lead to issues including a medical device failing to deliver its therapeutic benefit, a breach in the confidentiality, integrity, and availability of medical device data, or malicious unauthorized access to the medical device and the network it operates on. 

1. Does the intended use of your device expose it to risks associated with cybersecurity (e.g. will your device connect to networks, will it transmit data)? 
2. How will any cyber risks be managed?
3. Is there a risk that a cybersecurity vulnerability may lead to your medical device compromising the health and safety of the user (patient or operator)? 
4. Is that risk acceptable?
5. Is there a risk that your device could compromise the safety and health of other people (e.g. could your device compromise a biomedical network with other connected medical devices?)
6. Is it reasonable to expect intended users would have the appropriate technical knowledge, experience, education, or training to use your device in a way that minimizes cybersecurity risk?
7. Is the device adequately secured to limit the risk of falsification, impersonation, or suppression of data generated?
8. Has cybersecurity been considered in the design of your medical device? Have principles of inherently safe design (e.g. security by design; quality by design) been used to reduce cybersecurity risks to patient safety?
9. Do you know the generally acknowledged state of the art for cybersecurity for this type of product or the products it connects to and does your product meet this?
10. Have you conducted a risk assessment to identify cybersecurity-related risks associated with the use and foreseeable misuse of your device and have you eliminated or minimized these risks?
11. Does this risk assessment consider risks associated with the implementation of selected security controls (e.g. application of security patches to devices post-market)?
12. Does the risk assessment consider the risk of potential intrusion based on the projected level of cybersecurity threat during the expected life of the device and identify possible mitigations/strategy during design?
13. Does your device have the capability to detect, notify, and log cybersecurity issues and raise an alarm if at risk?
14. Is the cybersecurity of the device able to be regularly maintained? Will your device require patches/updates to its software to maintain acceptable and safe performance? How will updates be delivered, verified, and are accessories required?
15. If your medical device is intended to be used in combination with other devices, equipment, or accessories, has consideration been given to how the intended performance of the medical device might be impacted by cybersecurity vulnerabilities in other devices or other networks? How can risks posed by other devices be mitigated?
16. Are there environmental conditions that need to be considered to minimize the risks associated with the use of the medical device? What are the essential environmental security controls, e.g., isolation, firewalling, intrusion detection systems, etc.?
17. Could a cyber exploit affect the measurement accuracy, precision, and stability of the medical device? Is the integrity of the data vulnerable to cyber-attacks? If measurements become inaccurate, could this result in harm to a patient?
18. Are appropriate cybersecurity controls in place to ensure the applicable confidentiality, integrity, and availability of information collected by the device? How will a user become aware of any issues with regards to this information?
19. Can the performance, reliability, and repeatability of the device be impacted by cyber vulnerabilities?
20. Are there alarm systems to indicate a power failure or warn the user of possible patient harm? Can the integrity of these alarms be altered by adversaries? Is there an appropriate system alarm in place for known vulnerabilities?
21. Are there unique cybersecurity conditions that need to be considered for active implantable medical devices, especially with regards to programming interfaces?
22. Does the information provided with the device explain how to use the device safely with regards to minimizing potential cybersecurity implications? Is the format and structure (free text, structure, or machine-interpretable) of the information provided appropriate to the expected audience?
23. What cybersecurity measures, specific to the device, are recommended/required for networks that this device connects to?
24. Does the information provided with your device explain to users how to maintain cybersecurity for the device, how to know if cybersecurity has been compromised and the steps to take during and after a cyber incident? Is there a risk associated with applying security updates?
25. Is providing cybersecurity information and instructions for maintenance and use adequate to explain how to use the device safely, or does the user require education as well?