Software as a Medical Device
Second Edition
73 Regulatory Affairs Professionals Society
Introduction
Information Technology (IT) systems are becoming increas-
ingly essential in all facets of work and daily life, from mobile
phones to desktop and laptop computers to the servers and
infrastructure that support them. In healthcare, this includes
hospital back-office IT systems building automation such as
Heating, Ventilation, and Air Conditioning Systems (HVAC)
and door locks and medical IT (medical devices, in-vitro
diagnostics [IVDs], Software as Medical Device [SaMD],
health IT systems, and workstations).
As healthcare becomes increasingly digitalized, the
number of IT systems used to provide care is also rapidly
increasing. As more health IT systems are introduced, their
functionality has also been extended, which often requires
them to be connected to other systems and even via the
internet. This need for connectivity brings significant advan-
tages but also great risks, as these systems can be more easily
influenced by the IT environment and by people who either
accidentally or with malicious intent disrupt or block access
to the IT systems or delete, modify, and copy data from the
system for financial gain or other motives.
Product safety and performance of software-supported
medical devices and IVDs may be affected by security, as
acknowledged in the third edition of ISO 14971.1 Some reg-
ulations focus on safety and performance without explicitly
calling out security, or they only provide high-level security
requirements. An increasing number of healthcare-related
regulatory guidance documents have provided more detail on
how regulators expect manufacturers to address these security
concerns. Recent regulatory changes in the US, for example,
are requiring manufacturers to ensure the cybersecurity of
their medical devices, extending beyond the impact on safety
and essential performance.2
Many healthcare-related regulatory guidance documents
use the words security or cybersecurity. Technically, cybersecu-
rity can be considered a subset of security. Cybersecurity deals
with protecting data and information in digital or electronic
form, while security also involves safeguarding physical assets.
Although they have different meanings, the words are often
used interchangeably. The word security is used throughout
this chapter without the intention of distinguishing between
the terms. SaMD also requires security measures in the physi-
cal world to protect assets, for instance, by placing the network
server that runs the software in a locked cabinet within an
access-controlled room in a physically secured building.
The increase in ransomware attacks worldwide affects
hospitals’ ability to provide care due to the unavailability of
both clinical and non-clinical systems, including electronic
patient records. Although there is no evidence that the
WannaCry attack on the National Health Service (NHS) in
the UK in 2017 led to a higher mortality, it was disruptive,
with a substantial financial impact.3 A cyberattack contrib-
uted to the death of a person in Düsseldorf, Germany, in
September 2020, by delaying patient treatment because the
emergency department of the nearby hospital was closed due
to a cyberattack. The patient died shortly after arriving at
another hospital an hour later. After a two-month investiga-
tion, the public prosecutor in Cologne concluded that there
were insufficient grounds to pursue the hackers for negligent
homicide. Although ransomware was involved in the case,
there were no means to establish legal causation to determine
whether the hackers, if they could be identified, contributed
sufficiently to the fatality.4 The first death that was linked to
a ransomware attack was confirmed by the NHS in the UK,
where an attack caused a long delay in blood-test results,
which contributed to the patient’s death.5 With the increase
in ransomware attacks targeting the healthcare sector, man-
ufacturers and hospitals can expect more negative outcomes
and need to implement adequate security measures to reduce
such risks.6,7
SaMD Security
Security risk management should always consider both the
platform on which the software runs and the infrastructure in
which the software and platform operate (see Figure 7-1). As
7
Security Risk Management
Ben Kokx
Second Edition
73 Regulatory Affairs Professionals Society
Introduction
Information Technology (IT) systems are becoming increas-
ingly essential in all facets of work and daily life, from mobile
phones to desktop and laptop computers to the servers and
infrastructure that support them. In healthcare, this includes
hospital back-office IT systems building automation such as
Heating, Ventilation, and Air Conditioning Systems (HVAC)
and door locks and medical IT (medical devices, in-vitro
diagnostics [IVDs], Software as Medical Device [SaMD],
health IT systems, and workstations).
As healthcare becomes increasingly digitalized, the
number of IT systems used to provide care is also rapidly
increasing. As more health IT systems are introduced, their
functionality has also been extended, which often requires
them to be connected to other systems and even via the
internet. This need for connectivity brings significant advan-
tages but also great risks, as these systems can be more easily
influenced by the IT environment and by people who either
accidentally or with malicious intent disrupt or block access
to the IT systems or delete, modify, and copy data from the
system for financial gain or other motives.
Product safety and performance of software-supported
medical devices and IVDs may be affected by security, as
acknowledged in the third edition of ISO 14971.1 Some reg-
ulations focus on safety and performance without explicitly
calling out security, or they only provide high-level security
requirements. An increasing number of healthcare-related
regulatory guidance documents have provided more detail on
how regulators expect manufacturers to address these security
concerns. Recent regulatory changes in the US, for example,
are requiring manufacturers to ensure the cybersecurity of
their medical devices, extending beyond the impact on safety
and essential performance.2
Many healthcare-related regulatory guidance documents
use the words security or cybersecurity. Technically, cybersecu-
rity can be considered a subset of security. Cybersecurity deals
with protecting data and information in digital or electronic
form, while security also involves safeguarding physical assets.
Although they have different meanings, the words are often
used interchangeably. The word security is used throughout
this chapter without the intention of distinguishing between
the terms. SaMD also requires security measures in the physi-
cal world to protect assets, for instance, by placing the network
server that runs the software in a locked cabinet within an
access-controlled room in a physically secured building.
The increase in ransomware attacks worldwide affects
hospitals’ ability to provide care due to the unavailability of
both clinical and non-clinical systems, including electronic
patient records. Although there is no evidence that the
WannaCry attack on the National Health Service (NHS) in
the UK in 2017 led to a higher mortality, it was disruptive,
with a substantial financial impact.3 A cyberattack contrib-
uted to the death of a person in Düsseldorf, Germany, in
September 2020, by delaying patient treatment because the
emergency department of the nearby hospital was closed due
to a cyberattack. The patient died shortly after arriving at
another hospital an hour later. After a two-month investiga-
tion, the public prosecutor in Cologne concluded that there
were insufficient grounds to pursue the hackers for negligent
homicide. Although ransomware was involved in the case,
there were no means to establish legal causation to determine
whether the hackers, if they could be identified, contributed
sufficiently to the fatality.4 The first death that was linked to
a ransomware attack was confirmed by the NHS in the UK,
where an attack caused a long delay in blood-test results,
which contributed to the patient’s death.5 With the increase
in ransomware attacks targeting the healthcare sector, man-
ufacturers and hospitals can expect more negative outcomes
and need to implement adequate security measures to reduce
such risks.6,7
SaMD Security
Security risk management should always consider both the
platform on which the software runs and the infrastructure in
which the software and platform operate (see Figure 7-1). As
7
Security Risk Management
Ben Kokx