Skip to main content

Cyber security guidance for healthcare professionals procuring and deploying connected medical devices

This guidance provides UK professional health providers with cyber security guidance for procuring and deploying Connected Medical Devices (CMDs).

Page contents

It is aimed at technical and managerial staff who want to consider: 

  • cyber security as part of their procurement process for CMDs
  • cyber security in deploying, sustaining and disposing of CMDs (regardless of how they were procured, so including devices with inadequate support) - devices with inadequate support are sometimes described as ‘legacy’.

It provides references to existing publications which cover CMDs have been reviewed by the National Cyber Security Centre and NHS Digital. 

Definitions

For the purpose of this guidance, a CMD is defined as a medical device with a connected network capability. The definition is agnostic to the technical means by which that connectivity is achieved. The term ‘medical device’ will take the meaning given in EU Regulation 2017/745 - essentially physical equipment or software that is used on humans for formal medical purposes. 

This guidance is more applicable to to large devices than small ones such as ‘implantables’. This is noted as a gap in the guidance currently available. This is because many of the risk reduction measures are not viable for low cost devices (especially legacy ones), nor for devices with inflexible supporting network architecture. 

Suggested guidance for cyber security of connected medical devices

NHS data security and protection toolkit

Intended readership 

Health care organisations and technical managers. 

Purpose 

  • an online self-assessment tool for organisations to measure their performance against the National Data Guardian’s 10 data security standards
  • emphasis is on requirements rather than provision of guidance.

Use it when 

  • you want to check your CMD security processes against the National Data Guardian’s 10 data security standards
  • relevant to deploying, sustaining and disposing of devices. Less relevant to procuring them.

Be aware that

  • It’s concerned more with the confidentiality of data security than the safety concerns that can arise from compromise of CMDs
  • Being general to healthcare IT there’s little mention of CMDs, but the principles often apply to CMDs. It nicely considers challenges of running collections of systems rather than system in isolation.

 Version reviewed - 2019-2020 V1.9.6, 21 June 2019.

Read a copy of the toolkit

Clinical risk management: its application in the deployment and use of health IT systems

Intended readership 

People in health organisations responsible for the safety of health IT systems through the application of clinical risk management. 

Purpose  

To ensure that clinical risk management is carried out by health organisations responsible for deploying, using, maintaining or decommissioning health IT systems within the NHS. It presents a set of requirements and emphasises roles, responsibilities and process.

Use it when

Determining roles and responsibilities for applying clinical risk management to deploying, using, maintaining or decommissioning Health IT Systems (including CMDs). Its especially useful for determining when the risk from a device has reached a point that necessitates decommissioning.

Be aware

  • it doesn't advise on the cyber security technicalities of managing devices
  • it usefully references EU Regulations on Medical Devices 2017/745 and ISO 14971:2012 Medical Devices: Application of Risk Management to Medical Devices. 

Version reviewed 

DCB0160 implementation guidance v4.2  2 May 2018

Specification: DCB0160 Specification v3.2.docx, 02May 2018

Lean more about this guidance.  

NCSC security design principles: guides for the design of cyber secure systems

Intended readership 

Cross sector - technical.

Purpose

To ensure networks and technologies are designed and built securely. 

Which parts to read 

  • ‘Cyber security design principles’ 
  • the ‘Virtualisation security design principles’ section is only relevant if virtualisation is employed.
     

Use it when 
Procuring devices, when evidence can be sought that devices under consideration can be deployed in adherence with the principles describes.

Be aware that 

  • Being cross-sector rather than healthcare specific, thought is needed to determine how the principles apply to CMDs.
  • it is likely to be of most use where the healthcare provider’s IT environment adheres to the principles, in which case checks can be made on prospective CMDs that they can be deployed in a way that’s consistent with the existing environment.

Version reviewed

1.0 21 May 2019. 

Status - non binding.

Learn more about the guidance

Health industry cybersecurity practices: Managing threats and protecting patients

Intended readership 

Health organisations of all types and sizes across the industry. Managerial  and technical. 

Purpose 

Raise cyber security awareness for health care executives, practitioners, providers and delivery organisations.

Use it when

  • procuring, deploying, sustaining and disposing of CMDs.
  • wanting to convince executives and non-technical staff of the importance of cyber security to health care
  • wanting to understand the specific requirements of CMDs.

Which parts to read 

To convince executives and non-technical staff of the importance of cyber security to health care, see ‘Cybersecurity attacks continue to affect the health care industry’ in main document, pp. 7-10, 13-27. 

To consider the special needs of connected medical devices (as well as those common to other parts of the health IT infrastructure) for procurement, deployment, sustainment and disposal, see:

  • for a managerial/non-technical narrative: main document ‘Threat: Attacks Against Connected Medical Devices That May Affect Patient Safety’, pp.24-25
    for a technical narrative: ‘Cybersecurity Practice #9: Medical Device Security’ in technical vol 1 for small healthcare organisations or technical vol 2 for medium to large healthcare organisations.

Be aware 

The documents focus on ‘five of the most current and common cybersecurity threats to healthcare organisations’. Given the evolving and uncertain nature of threats, this should not be taken to imply that these are the only threats that can pertain to the sector.

To recognise that healthcare organisations’ needs and resources vary by size, technical vol 1 is written for small healthcare providers while technical vol 2 is written for medium to large healthcare organisations. Though a useful approach, this risks small providers being underprepared. We therefore advise that small providers with the capacity to do so also consider the advice for medium to large providers.

It contains some US specific aspects, though majority is relevant to the UK. Despite its length, it is an easy read.

Version reviewed

January 2019 

Status 

non-binding.

Learn more about the guidance.  

 

Device and health IT joint security plan

Intended readership 

Healthcare providers, medical device manufacturers and vendors – managerial and technical. 

Purpose

To aid medical device manufacturers, healthcare IT vendors and healthcare providers in enhancing cybersecurity, irrespective of organisation size or maturity.

Use it when

Determining the cyber security factors to consider when procuring connected medical devices.

Which parts to read

  • section VII: B.: vi: b) ‘Customer Security Documentation’ (i.e. Lines 492-527) & Appendix G for suggested elements of customer security documentation
  • appendix E for examples of security design requirements that health providers may wish to verify when procuring.

It is not recommended that the document be read in its entirety

Version reviewed

January 2019 (first publication)

Status

Optional

Learn more about this guidance

Postmarket management of cybersecurity in medical devices

Intended audience

Manufacturers and Food and Drug Administration (FDA) staff. Managerial & technical.readership.

Purpose

 To articulate the FDA’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices.

Use it when

Determining the desired level of cyber security support to in service devices, to consider when procuring connected medical devices.

Which parts to read

As the document is aimed at manufacturers, the relevance for healthcare providers is to help determine whether under consideration for procurement contain sufficient cyber security provision. Healthcare providers could ask manufacturers how much of the guidance they follow and use the responses to inform their clinical risk assessments.

Much of the document is specific to the USA, so we recommend selective reading of the above sections. We do not necessarily recommend CVSS in this context, but the document cites it only as an example of a tool for assessing exploitability. FDA has also published a premarket document to assist manufacturers in designing and developing devices securely.

Version reviewed

28 December 2016, FDA-2015-D-5105

Status 

Non binding. 

Learn more about this guidance.  

Contact us

For further advice, please contact the Data Security Centre by emailing [email protected].

Last edited: 6 January 2023 1:22 pm