It should be noted that while a cyberattack can, in some cases, result in patient harm (e.g., hacking a pacemaker), there are other considerations with cybersecurity that need to be addressed.
Patient identifying information or any data that falls under the EU General Data Protection Regulation (GDPR) for products deployed in the EU must be protected at all times. A security breach involving such data can result in massive fines.
Further, if a device / software is networked, an attack may target the network, using the device / software as the attack vector.
Similar to the (14971-based) risk management process, the risk management process described by UL 2900-1 involves establishing a classification scheme (severity), ‘standard’ risk analysis (risk, effects, severity, likelihood), determination of acceptability, identification and implementation of controls if the risk is considered unacceptable, and an assessment of residual risk.
The project should define the classification scheme and the risk acceptance criteria.This includes consideration of damage, reproducibility, exploitability, affected users, and discoverability. This definition should be provided in the product Risk Management Plan. Other models are acceptable.
The UL 2900-1 standard identifies the following items to consider when addressing cybersecurity:
- Access control, user authentication, and user authorization.
- Remote communication.
- Cryptography (note: special consideration should be given to patient-identifying information, whether stored or transmitted); and
- And Product management (software updates).