How to Comply with EU MDR & Manage Cyber Threats

By Chris Nahil on July 20, 2021

On May 26, 2021, the European Union adopted a new regulation, known as the European Union Medical Device Regulation (EU MDR). One of the signal changes of this regulation is it generates a tidal wave of data from Europe’s life sciences industry. Manufacturers must now collect detailed usage information from end-users, then apply this data towards improving the quality of their devices. While this regulation improves the culture of quality within the EU’s medical device industry, it also means QMS software for medical devices may become a target for attackers.

Right now, stolen personal health information (PHI) is up to 50 times more valuable than stolen credit card numbers on the black market. Medical information is immutable—you can cancel a credit card, but it’s much more difficult to change your identifiable medical information. That makes it easier for holders of stolen PHI to steal your identity. The more complete a medical record is, the more valuable it is. Therefore, the EU MDR—which tells medical device manufacturers to hold more complete medical records—may ironically signal attackers of a new and target-rich environment for them to take advantage of.

Medical Device Cybersecurity Risks

If you’re not an information security professional, it’s hard to fathom the manifold risks involved with a cyberattack. A minor data breach might mean you lose a couple of hours of productivity while IT re-images your computer. A major data breach might mean your company loses millions of dollars and thousands of customers.

First, there’s the risk of a data breach. Here, an attacker gets into your network, installs malware, and steals credentials for your medical device QMS software. They use this to copy your database of PHI. From here, there are two outcomes—they can sell the copies database, or they can hold it for ransom. “Unless you pay us €100,000,” they’ll say, “We’ll release this information on the black market.”

Next, there’s the risk of ransomware. That kind of malware encrypts your databases, turning them into electronic gibberish unless you purchase an encryption key from your attacker. It is sometimes possible to restore your encrypted data without a key, but this is a lengthy and expensive process. Other times—whether you pay a ransom—the data is gone for good.

If you’re collecting data from your end-users, this means your medical devices may connect to your network. That means an attacker could infect your medical devices with ransomware directly, rendering them inoperable. That isn’t just conjecture—during the 2017 WannaCry incident, attackers successfully infected a Bayer Medrad device, which is equipment designed to deliver a contrast agent that assists with MRI scans. Imagine the consequences if an attacker disabled a medical device while it was in the middle of a lifesaving treatment?

Lastly, there’s the aftermath to consider. If you’re attacked, patients will begin distrusting you. They’ll distrust you if you lose their personal data, and they’ll distrust you more if your devices become inoperable. If the EU information commissioner’s office (ICO) suspects you’ve been negligent in protecting your customers, then you may run afoul of the GDPR. Under the GDPR, you can be fined up to €20 million or 4% of your annual revenue—whichever figure is higher. Therefore, you have many incentives to make sure cyber attacks don’t happen.

How to Manage Medical Device Cybersecurity Risks

If you want to comply with the EU MDR—without running afoul of attackers—then you’re going to need to put some thought into defending your QMS software for medical devices.

There’s potentially some good news. If your company is serious about GDPR compliance, it will already have an information security department and a data protection officer (DPO). Your information security department will have the primary responsibility of protecting your organization from cybercriminals. They’ll install security applications like firewall and antivirus, and they’ll monitor your network for active threats.

Meanwhile, your DPO will be in charge of documenting the information security department’s preparations and reporting them to the ICO. The ICO will know you’re undertaking a good-faith effort to protect against cyberattacks, so you probably won’t run afoul of the GDPR in the event of a data breach.

Your information security department will gladly work with you to help make sure your EU MDR data doesn’t fall into the hands of bad actors. To do this, they’ll probably want to know a few things:

  • Who in your organization can access PHI? These individuals need to be trustworthy—otherwise, there’s a chance they could steal this information and sell it themselves.
  • How is your organization trained to handle PHI? Without appropriate training, there’s a chance they could leak this information accidentally.
  • What is the status of your permissions? Most people should be limited to view-only access for PHI—they should not be able to edit, move, copy, encrypt, or delete it.
  • Do any vendors have access to your PHI? Attackers adopt a tactic known as a “supply chain attack,” where they attack vendors to obtain their customers’ data. You need to vet your vendor’s security carefully and assess the status of their permissions.

Does this sound complicated? You’re not alone. If you select the right medical device QMS software, however, you’ll be able to automate a lot of your security efforts.

The Importance of QMS Software for Medical Devices

With the right QMS software, you’ll be able to implement granular role-based access control across your quality organization. What does this mean?

This way makes it easy to control permission to access PHI within your organization—without going through and assigning permissions to every employee or vendor individually. If someone in your organization has the role of “quality manager,” for example, they might view, move, and edit quality information but not delete it. Someone with the role “quality vendor” might automatically be restricted to view-only.

In addition, you may want to invest in cloud-native QMS software as opposed to hosted or on-premises solutions. This is especially useful if your information security department is on the smaller side. That’s because, in a cloud-native environment, the cloud provider–such as Amazon, Microsoft, or Google–is responsible for building and maintaining security infrastructure. For example, this means that Amazon, with its nearly infinite resources, can handle the implementation of security tools and the staffing to monitor these tools. Your only responsibility will be the handling of access permissions, as detailed above.

ETQ Reliance NXG is a QMS for life sciences and other industries, and it comes with robust and granular access controls to provide information security. With Reliance NXG, you’ll be able to comply with the strictures of EU MDR without becoming a target for attackers. Sign up for a free demo to receive more information today.

FAQ

How are medical devices regulated in the European Union?

Medical devices are regulated according to the EU MDR, which requires (among other things) that life sciences manufacturers collect end-user data and use it to improve the quality of their devices.

What is the EU Cybersecurity Act?

The EU Cybersecurity Act provides a permanent mandate for ENISA, the EU Agency for cybersecurity. This bureau coordinates Europe-wide response teams in the event of a large-scale cybersecurity incident.

Does EMA regulate medical devices?

Yes. Under the EU MDR, the European Medicines Agency (EMA) is now responsible for assessing specific aspects of medical device quality.

What is the new medical device regulation?

The newest medical device regulation in Europe is the EU MDR, which took effect in May 2021.