MDR Compliance 101: How does the medical device cybersecurity testing work Part 3.

In our previous articles we’ve explored what are the drawbacks of smart medical devices from a cybersecurity point of view and how manufacturers can prevent the exploitation of these connected devices. In this article we will focus on how the medical device cybersecurity testing process looks by getting in details about each step.

Those companies, who paid significant attention to IT security throughout the product development process and/or their products comply with the MDD regulation, are already on the right path towards MDR compliance. However, those enterprises who only achieved the minimum requirements of MDD, will soon discover that they’re still a few steps away from MDR or IVDR and obtaining the CE certification.

Let’s explore all necessary cybersecurity evaluations and testing processes that are obligatory to attain the desired certification.

Conformance evaluation

“Prior to placing a device on the market, manufacturers shall undertake an assessment of the conformity of that device, in accordance with the applicable conformity assessment procedures set out in Annexes IX to XI.” (MDR- Article 52)

The first step of the medical device cybersecurity testing process is the MDR gap analysis or the IVDR gap analysis. This thorough assessment explores whether the company and its products correspond to the requirements of the MDR paragraphs, or not. In case of noncompliance, the professional analysts conducting the examination summarize what needs to be changed and/or improved in each area, in order to attain the requested standards.

The image below depicts the areas that should be focused on when managing cybersecurity across the entire lifecycle of a medical device, according to the MDR. Additionally, it demonstrates the different activities that the manufacturer needs to carry out.

Source: MDCG 2019-16, Guidance on Cybersecurity for medical devices

This is the framework MDR specialists turn to when executing the MDR and IVDR gap analysis, the first step of the compliance evaluation.

Most of the time, the mistakes, done during development and unearthed by specialists, are the signs of not understanding security gaps and potential errors deriving from them. As a result, it is important to spread awareness and to warn manufacturers about likely hazards.

Based on our experience, medical devices that incorporate software are prime targets of malevolent hackers. They can use these software and design weaknesses to get a hold of, modify or delete PII, to launch a cyberattack against other companies or sites using the exploited devices, control the device remotely and launch a ransomware attack, or make the service unavailable for a period of time (DoS, DDoS).

These weaknesses are usually the result of unencrypted communication channels,  improper access control implementation, or use of default credentials, which could be prevented with a security-first design approach.

To counter these occurrences, the MDR requires the following,...

“For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.” (MDR - Chapter II., 17.2)

… which takes us to the second step of cybersecurity testing.

Risk assessment

The second stage of the medical device cybersecurity testing framework is risk assessment. Throughout this process, official evaluation organizations, like CCLab, are using the ITIL (Information Technology Infrastructure Library) methodology to discover the potential risks and to categorise their severity and the likeliness of occurrence.

The basis of risk management is a risk matrix, which helps to determine the importance of risks based on their probability of occurrence and their impact.. The severity of a problem can range from Critical, Marginal, to Negligible, while the probability can be: Definitely, Likely, Possibly, and Unlikely.

Thanks to this meticulous process, evaluators are able to:

• Identify and categorize threats
• Assess possible vulnerabilities of critical assets to specific threats
• Determine the probability of risks and their impact
• Identify ways to mitigate risks
• Prioritize risk reduction measures
• Provide methodology for continuous risk monitoring

It is critical to execute this assessment in great detail, otherwise a large cybersecurity attack surface can result in MDR non-compliance.

Obligatory cybersecurity testing

This obligatory testing has two major parts; vulnerability assessment and penetration testing. If you are not familiar with the difference between these two terms, allow us to clarify:

Vulnerability assessment is the method of examining the largest possible attack surface and checking for multiple weakness variants. The aim of the vulnerability assessment is to discover all cybersecurity vulnerabilities in a system, while not immersing ourselves in the depth of that security hole. This procedure is a great solution to fortify the defenses of the product in question, as after the evaluation, organizations receive a complete action plan on how to fix the explored deficiencies. A wide variety of risks can be prevented using this approach, for instance; XSS (cross-site scripting), SQL injection, other code injection attacks, or insecure defaults, like weak passwords.

Penetration testing is the method of selecting 1-2 major weaknesses and checking how deep we can go exploiting them. These deficiencies usually can lie in operating systems, services and application flaws, improper configurations or can be induced by risky end-user behavior. Pen testing is commonly performed manually and automatically and is a totally safe process, as the outcome is only used to improve the security of the system.  

How to find the perfect partner for cybersecurity testing?

It is crucial to get to know the would-be evaluation partner in depth, as the company’s MDR compliance and CE certification depends on the quality of their job. It is important to choose a partner who is on top of the most recent MDR and IVDR changes and who has a significant amount of experience in this area.

At CCLab, we’re well-prepared to satisfy the needs of our partners regarding MDR and medical device security. We can work with organizations, who already have a product on the market and don’t want to postpone taking an action to the last minute, while we welcome those enterprises too, who are still planning the marketing of their solutions and want to do it in the most efficient way.