Chapter 7: Security Risk Management
80 Regulatory Affairs Professionals Society
requirements, technology choices, and applicable regulations
for the manufacturer and user.
Addressing security can be complex when the manufac-
turer uses different standards to demonstrate compliance with
the requirements of specific laws and regulations. The follow-
ing are some examples of commonly used security standards:
• Operational security for the manufacturer, healthcare
delivery organization, and any third-party IaaS/PaaS
providers:
o ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27799
o NIST Cybersecurity Framework, NIST SP 800-53
o ISO/IEC 27034 series
o IEC 80001-1
o ISO 81001-1
• Cloud service providers and users:
o ISO/IEC 27017
o ISO/IEC 27018
o ISO/IEC 27701
• Security requirements for manufacturer processes:
o IEC 81001-5-1
o NIST SP 800-218 (SSDF)
o IEC 62443-4-1
• Security requirements for the SaMD product:
o IEC/TR 60601-4-5
o IEC/TS 81001-2-2
o IEC 62443-4-2
Overlapping Legislative Security
Requirements
The confidentiality, availability, and integrity of systems and
data not only can impact safety and performance, but also
the mission of the healthcare delivery organization at large,
including its ability to comply with other legislative obli-
gations, such as data protection legislation like the General
Data Protection Regulation (EU) 2016/679 in Europe and
the Health Insurance Portability and Accountability Act
(HIPAA) in the US.
Across the globe, policymakers and regulators are
introducing security requirements in a variety of new laws
and regulations to protect society at large by strengthen-
ing the cyber resilience of the healthcare sector and other
critical infrastructures against the increasing cybersecurity
threats. Geopolitical changes are extending cyber threats
from criminals for financial gain to include state actors for
cyber-warfare.
The update of the Network Information Security
Directive (NIS2 (EU) 2022/2555) in Europe sets report-
ing requirements for the critical infrastructure, but now also
addresses the supply chain. NIS2 also directly applies to
healthcare delivery organizations, managed service and cloud
providers, and medical device manufacturers in Europe. As a
directive, additional requirements at the national level from
the national NIS2 implementation might impact the fea-
tures and configuration of the SaMD, the operating system,
and supporting software, as well as the infrastructure. For
instance, specific requirements for strong encryption on the
network for sensitive data, such as electronic patient records
or national identifiers, might break communication with
systems on the network that do not support the required
cryptographic methods.
When addressing additional legislative requirements,
consideration must always be given to safety and effective-
ness. For instance, requiring multi-factor authentication
before being able to view patient information on a vital life
signs monitor might protect personal data from a privacy leg-
islative perspective, but also raises a patient safety concern, as
necessary information might not be directly available in case
of an emergency, which could delay treatment and thus could
impact patient safety.
Conclusion
With rising attacks on the healthcare sector for financial gain
and geopolitical reasons, it is essential to implement and main-
tain robust security. Not only to protect the safety and essential
performance of medical products, but also to safeguard inter-
connected systems that together deliver patient care.
80 Regulatory Affairs Professionals Society
requirements, technology choices, and applicable regulations
for the manufacturer and user.
Addressing security can be complex when the manufac-
turer uses different standards to demonstrate compliance with
the requirements of specific laws and regulations. The follow-
ing are some examples of commonly used security standards:
• Operational security for the manufacturer, healthcare
delivery organization, and any third-party IaaS/PaaS
providers:
o ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27799
o NIST Cybersecurity Framework, NIST SP 800-53
o ISO/IEC 27034 series
o IEC 80001-1
o ISO 81001-1
• Cloud service providers and users:
o ISO/IEC 27017
o ISO/IEC 27018
o ISO/IEC 27701
• Security requirements for manufacturer processes:
o IEC 81001-5-1
o NIST SP 800-218 (SSDF)
o IEC 62443-4-1
• Security requirements for the SaMD product:
o IEC/TR 60601-4-5
o IEC/TS 81001-2-2
o IEC 62443-4-2
Overlapping Legislative Security
Requirements
The confidentiality, availability, and integrity of systems and
data not only can impact safety and performance, but also
the mission of the healthcare delivery organization at large,
including its ability to comply with other legislative obli-
gations, such as data protection legislation like the General
Data Protection Regulation (EU) 2016/679 in Europe and
the Health Insurance Portability and Accountability Act
(HIPAA) in the US.
Across the globe, policymakers and regulators are
introducing security requirements in a variety of new laws
and regulations to protect society at large by strengthen-
ing the cyber resilience of the healthcare sector and other
critical infrastructures against the increasing cybersecurity
threats. Geopolitical changes are extending cyber threats
from criminals for financial gain to include state actors for
cyber-warfare.
The update of the Network Information Security
Directive (NIS2 (EU) 2022/2555) in Europe sets report-
ing requirements for the critical infrastructure, but now also
addresses the supply chain. NIS2 also directly applies to
healthcare delivery organizations, managed service and cloud
providers, and medical device manufacturers in Europe. As a
directive, additional requirements at the national level from
the national NIS2 implementation might impact the fea-
tures and configuration of the SaMD, the operating system,
and supporting software, as well as the infrastructure. For
instance, specific requirements for strong encryption on the
network for sensitive data, such as electronic patient records
or national identifiers, might break communication with
systems on the network that do not support the required
cryptographic methods.
When addressing additional legislative requirements,
consideration must always be given to safety and effective-
ness. For instance, requiring multi-factor authentication
before being able to view patient information on a vital life
signs monitor might protect personal data from a privacy leg-
islative perspective, but also raises a patient safety concern, as
necessary information might not be directly available in case
of an emergency, which could delay treatment and thus could
impact patient safety.
Conclusion
With rising attacks on the healthcare sector for financial gain
and geopolitical reasons, it is essential to implement and main-
tain robust security. Not only to protect the safety and essential
performance of medical products, but also to safeguard inter-
connected systems that together deliver patient care.