Security evaluation services for medical devices
With the rising frequency and sophistication of cyberattacks, medical device regulations are increasingly mandating stricter security measures. Meeting these security requirements in the realm of medical technologies (MedTech) presents challenges, particularly when it comes to navigating the complex array of standards and regulations that must be followed.
With the rising frequency and sophistication of cyberattacks, medical device regulations are increasingly mandating stricter security measures. Meeting these security requirements in the realm of medical technologies (MedTech) presents challenges, particularly when it comes to navigating the complex array of standards and regulations that must be followed.
Overcome obstacles
The first obstacle for medical device manufactures is the integration of cybersecurity into the existing processes and the harmonization of the security requirements to safety. The goal of cybersecurity regulations and guidance for medical devices is always the safety for the patient from physical and privacy-related harms. Thus, the motto “no safety without security”.
Cybersecurity requirements shall be included from the early phases of the product life cycle, guaranteeing “secure by design” products, to the legacy of the medical product. The long life cycle is yet another challenge, where manufacturers shall consider security solutions even after the support for the medical device is no more provided.
The consideration of the operating environment is an additional challenge. The complexity of the medical solutions, emergency situations and the distributed point of care, outside of managed and controlled networks, are critical aspects that shall be kept in consideration during the design phase of the medical device.
In addition, the medical device manufacturer shall ensure an appropriate level of the independence between the developing and testing groups, which requires additional technical experts and budget, which could be demanding for small to medium companies to sustain.
How Brightsight can support
We offer comprehensive training, testing, evaluation and certification services to support medical device manufacturers in the supply of safe and secure products. Our portfolio encompasses the pre-market phases of the product life cycle.
All our services take into consideration the requirements coming from different regulatory guidance (e.g. FDA, MDR, NMPA, …) and standards (IEC TR 60601-4-5 and IEC 81001-5-1). In this way, our reports can be summited to different notification bodies and agencies.
Even if the current landscape for medical device cybersecurity testing lacks clear requirements and testing procedures, Brightsight recognizes the importance of cybersecurity certification. For this reason, it endorses cybersecurity certifications like SESIP, DTSec and Cybersecurity Labelling Scheme (Medical Devices), which provide a well-defined evaluation procedure and security assurance of the evaluated product.
Length of evaluation or certification process
Training activities can be planned by the customer among the above-mentioned modules. They typically consist of one day training, subdivided into several sessions 2/3 hours each among several days.
Depending on the type of product and the complexity of the solution, a Technical Documentation Review is typically a 2-days workshop activity, where Brightsight experts will get through with the developer to the provided documentation and they will identify potential gaps and solutions on how to improve the security level of the product.
A full testing campaign lasts typically 3/6 weeks depending on the complexity of the product; the test plan is based on a defined scope, and it is characterized as a time-limited project. Tailored testing campaigns can be planned on specific functionalities, interfaces or any requested customer need.
Two categories of cybersecurity testing
Medical standards and recognitions
AAMI TIR 57
UL-2900
MDCG 2019-16
IEC TR 60601-4-5
IEC 81001-5-1
ISO/ISA/IEC 62443
