In this fourth and final part of our IEC/DIS 62304 blog series (Part 1: Its a class app, Part 2: Its a different class, Part 3: How agile are you?) we look at the relationship between the forthcoming version of 62304 and the challenges of cybersecurity.
Over the last 5 years cybersecurity has become one of the biggest global topics, but due to the development lifecycle times of international standards, standards struggle to match the pace of this market sector.
There have been a number of updates in IEC/DIS 62304 that start to address the challenges of cybersecurity. In the introduction of IEC/DIS 62304 is clear that it does not duplicate well established standards for security, which on one hand is good but on the other where the problems start.
There is an array of cybersecurity standards around the globe now and knowing which ones to use has become a bit of a minefield. The new Annex C does provide a very good comparison table, four entries are listed in Figure 1:
|AAMI TIR 57||Provides guidance on methods to perform information SECURITY RISK MANAGEMENT for a MEDICAL DEVICE|
in the context of the SAFETY RISK MANAGEMENT PROCESS required by ISO 14971.
|ISO/IEC 15408-2||ISO/IEC 15408-2 defines the content and presentation of the security functional requirements to be assessed in|
a security EVALUATION using the ISO/IEC 15408 series.
|ISO 27799||Defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002|
and is a companion to that standard. It specifies a set of detailed controls for managing health information
security and provides health information SECURITY best practice guidelines.
|IEC 80001-2-2||Creates a framework for the disclosure of security-related capabilities and RISKS necessary for managing|
the RISK in connecting MEDICAL DEVICES to IT-networks and for the security dialog that surrounds the
IEC 80001-1 RISK MANAGEMENT of IT-network connection.
Figure 1: Part of the cybersecurity standard comparison table
AAMI TIR 57 and ISO 14971
In total the table C.1 lists 15 different security standards. Ultimately cybersecurity is a new and less well-known topic to many teams than software development. AAMI TIR 57 is a document referenced several times in IEC/DIS 62304 which is good as above all TIR 57 bases its processes on ISO 14971 which is know to all in the industry (see Figure 2).
Figure 2: Relation between TIR 57 and ISO 14971
TIR 57 Annex D akin to ISO 14971 has a good summary of security risks that teams are new to the area can use to start identifying potential threats and mitigations. Also, good reading on the link between cybersecurity and the medical device sector is ISO/PRF TR 24971 due out in July 2020, but the AAMI DIS version is already available.
Additionally, there is often confusion over cybersecurity terminology and there are no new definitions listed in the IEC/DIS 62304 glossary. Denial of service, threat and malware are listed in the body of the standard, would be helpful to add these cybersecurity terms to the terms and definitions section.
In our next medical device sector blog, we will look at the topic of post market surveillance in connection with amongst other things cybersecurity.
By Alastair Walker, Consultant