Cybersecurity within Medical Devices

The concept of "Layers of Defence" was introduced to me many years ago in the aviation industry, but it applies to any sort of management system due to the concept of risk management.

The principle essentially defines each layer of delicious cheese as an element of a system, i.e., as a pure example - the first layer could be your security policy, the second layer is staff training, the third layer will be vulnerability testing and the fourth penetration testing.

A great way to think of the difference between penetration and vulnerability testing is through testing the strength of a door:

Vulnerability testing is knocking on the door at points to see if it makes any creaks, or strange noises.

Penetration testing is trying to kick the door down.

Anyway, the holes of the cheese represent the deficiency that every layer of defence has. The arrow is the hazard or threat, which when all of the gaps align, which can result in a harm.

The EU MDR does not specifically mention "cybersecurity", but information security. Risks related to this should be integrated into the risk management system, and addressed through a specific "Security Risk Management Plan" - this can form part of the overall risk management plan, or a standalone element. - MDCG 2019-16.

I hope some of these analogies prove useful in explaining the concept of cybersecurity within medical device design in the scope of the wider context.

Feel free to reach out if you need any mdr consulting services