DISPOSITIFS MÉDICAUX / Règlementation FDA & MDR / ANSI UL 2900

Le secteur des soins de santé est l’une des infrastructures les plus critiques de chaque pays, en raison de son implication directe sur les humains. Les dispositifs médicaux permettant une interaction directe avec les patients doivent être dotés de caractéristiques de pointe en termes de performances. Parallèlement, l’augmentation rapide des menaces de cybersécurité et des vecteurs d’attaque affecte de plus en plus les dispositifs médicaux.

From a cybersecurity point of view, most of these devices are high risk targets. Controlling and minimizing these risks becomes therefore a highly important process which manufacturers need to take into account.

Taking security into consideration during the whole development and manufacturing process of the medical devices could represent a strong means for avoiding any future security breaches, thus consolidating the brand’s image and reputation.

Moreover, due to the high risks associated in practice with their devices, medical device manufacturers need to comply with certain regulations in order to place their products on specific markets. In U.S.A, the Food and Drug Association (FDA) is regulating the market access, while in the EU, medical devices need to fulfill the Medical Devices Regulation.

Assessing, demonstrating compliance or obtaining relevant security certifications for your medical devices are important actions in order to improve their security, obtain the clearance for specific markets, and ultimately showcase their value to the patients or healthcare institutions. LCIE can support you with several testing and certification possibilities.

Preparation & Risk Assessment

LCIE Bureau Veritas helps you in your preparation for the regulation.

We offer training, workshop and gap analysis in the initial phases of your project.

We also support you to perform the risk analysis. We base our approach on well-known standards, ISO 27005 & EBIOS (https://www.ssi.gouv.fr/guide/ebios-risk-manager-the-method/ )

Testing

LCIE can provide testing services in line with the relevant security publications addressing the domain of medical devices. The offered services are presented below.

IEC 62443

LCIE has extensive experience in the interpretation and practical applicability of the internationally recognized IEC 62443 standard. Several parts of this standard can be of value to highlight the security of the product or development processes. IEC 62443-4-2 and IEC 62443-3-3 can be used to validate the security of medical products or integrated systems. IEC 62443-4-1 can be used to validate the security of the medical devices development processes.

LCIE Medical Devices Security Framework

In order to provide a flexible approach to the manufacturers, LCIE has developed its own testing framework, based on state of the art security guidelines such IEC 62443, UL 2900 or the ENISA Security Baseline Recommendations. Testing your product against the requirements of the framework allows manufacturers to select the depth of testing, thus perfectly addressing their needs.

FDA/EU Security Requirements

In order to enable the access of medical devices in USA, manufacturers need to apply and have their products approved by the FDA. The FDA assesses the security of devices based on its specified requirements. LCIE put together a flexible compliance service, aimed at supporting manufacturers with the FDA requirements, at various level of involvement. Documentation review, several options of testing, as well as analysis of the whole risk assessment file are options in this compliance service, which enables manufacturers to have a smoother FDA approval process.

At the same time, the EU Medical Devices Regulation asks manufacturers to demonstrate “state of the art” security in their products. The “Standard” security evaluation service, part of this compliance package, would allow manufacturers to efficiently demonstrate the implementation of state of the art security in their products.

Certification

Certification allows to put official recognition on the results of an assessment for your product. LCIE can support you with certification services for your IoT product based on the following schemes.

UL 2900

LCIE can support with official certification of medication devices in line with the UL 2900 (-2-1) standard, issued by Bureau Veritas. The service will result in a certificate that demonstrates the compliance of the product with the applicable requirements. This certificate can facilitate market access, being especially well recognized for FDA Cybersecurity compliance.