Principal Results
The goal of this scoping review was to identify the current legal frameworks, guidelines, and standards in the US and EU on how cybersecurity should be considered in the benefit-risk analysis of MDs, and to provide recommendations for manufacturers. We identified two regulations (MDR and FD&C Act), four standards, issued by ISO, IEC, and AAMI, five technical documents, and ten guidelines, issued by the FDA, MDCG, and IMDRF.
The regulations in both the US and EU provide high-level requirements for the BRA, but do not explicitly address the intersection of cybersecurity and BRA. On the guidelines level, MDCG 2019-16 provides an overview of cybersecurity requirements for the EU and acknowledges that cybersecurity-related risks should influence the BRA. For the US, FDA guidelines underscore the relevance of the BRA without detailing methods for the consideration of cybersecurity-related risks.
Multiple standards and technical reports describing the intersection of cybersecurity and the BRA, mandate the execution of a BRA only when residual risks, including cybersecurity-related ones, cannot be reduced to an acceptable level through risk management10,32,35. Some of these documents provide methods and examples explicitly for a security BRA32,35,38, while others only loosely describe methods that could be adapted to consider cybersecurity-related risks without providing more details10,11.
Benefit-Risk Analysis and Cybersecurity
In our scoping review, we identified a notable gap between the acknowledgement of the relevance of cybersecurity-related risks for the BRA and the actual guidance on how to consider these risks within it. Existing guidelines from both the EU and the US mention cybersecurity-related risks as relevant for MDs, since they could affect a MDs safety and security. Yet, they do not provide detailed methods on how cybersecurity should or could influence the BRA12,29–31, or only reference generic methods22–24. Thus, and through the lack of concrete examples, there remains some amount of uncertainty within those guidelines on how and when to conduct a BRA in general, and on how to conduct a security BRA. For the EU, this is reinforced by the fact that currently, two interpretations of the MDCG guidance are possible: the BRA could be divided into sub-categories identified in the risk assessment (e.g., cybersecurity-related risks, electromagnetic risks, usability risk), or all risks, including cybersecurity-related ones may be considered within the overall BRA12.
Many of the included documents consider BRA an explicit requirement, necessitating the description and coverage of all safety risks, including those caused by cybersecurity threats10–12,17–20. Some of the included documents provide sophisticated overviews of cybersecurity-related risks and the security risk management process, but they do not go into detail regarding the BRA, or, again, refer to generic methods35,37. Others provide methods that could be adapted to consider cybersecurity while not containing specific information about the relationship between cybersecurity-related risks and the BRA10,11,19–21.
Three guidance documents separate security and safety risk management into two processes12,32,38. While the intersection of both processes is acknowledged, they include separate BRAs: one for safety risk management, which considers all residual risks, including security-related ones, comparing them to the clinical benefits to patients and to the health system, and another one for security alone12,32,38. While a lot of guidance exists for the identification of security risks, it remains unclear how security benefits are defined and how they influence the security BRA as well as the safety BRA. AAMI TIR57 states that manufacturers should appropriately balance the residual security risk against the benefit gained by the design capability or security control32. SW96:2023 provides a brief example here, where the benefit of accurate patient identification outweighs the residual risk of storing patient data38. However, this approach somewhat contradicts the understanding of a BRA described in other documents, which mandate a more holistic approach, weighing the clinical benefits of the device against the residual cybersecurity-related risks, and conducting an additional general BRA that considers all residual risks10,11,19–21,35. These risks, in combination, could be more significant than the individual ones10.
Some standards and official guidance documents differ in their description of when a BRA must be carried out. One only calls for a BRA if residual risks remain unacceptable37, which contradicts the requirements of the MDCG guidance and FDA. These two organisations, as the official bodies that are tasked with providing guidance to manufacturers on how to interpret and apply the applicable laws, see the BRA as a final step in deciding whether an MD should be put on the market12,17–21. A middle ground position is provided by multiple documents that require a separate BRA for any individual residual risk that is not judged acceptable, while an overall BRA should be conducted to evaluate the overall residual risk, which should consider cybersecurity-related residual risks10,11,32,35,38.
Traditionally, BRA is often seen as primarily a premarket process in the MD development and approval process. However, multiple guidelines clarify that BRA is an ongoing process12,19,20,22,23,31, and especially when initial data is limited, post-market surveillance (PMS) should be used to further define the risk profile of a device and update the BRA accordingly20. This ongoing process includes BRA by the healthcare provider and the MD manufacturer before deploying updates and after the end of service (EOS) of devices22,29,31.
In the included documents, multiple issues were identified that bring particular technical challenges to the process of conducting a BRA. Firstly, cybersecurity-related risks could be difficult to assess, especially in a quantitative manner, due to the unpredictable nature of vulnerabilities10,22–24,37. Those vulnerabilities appear over time, e.g., through proactive attacks targeting specific aspects of devices or, more commonly, through bugs in standard software libraries or components41, and zero-day exploits (unknown vulnerabilities that can be exploited before they are publicly known and mitigated42). ISO TR 24971:2020 acknowledges the existence of such hard-to-quantifiable risks which could also be connected to other new technologies such as artificial intelligence43–45, gamification46, or virtual reality47,48, but considers them still as relevant for the BRA11. Secondly, updating devices could also lead to harm primarily regarding the availability of products during the update phase, which needs to be considered within the BRA20,22,23,29. Thirdly, the end of service (EOS) of a device needs to be considered: devices that no longer receive updates and security patches (post-EOS) become susceptible to cybersecurity threats31. Fourthly, there is the need to balance security measures, since both too weak and overly restrictive security measures could pose risks12: Weak measures do not provide adequate protection, e.g., for personal data, while overly restrictive measures hinder device usability. Additionally, implementing a risk control measure to reduce one risk can introduce new risks, e.g., when adding a higher authentication standard (e.g., two-factor authentication) to address the risk of the disclosure of patient data could limit the accessibility of the device in case of an emergency11. Lastly, for cMDs, the whole IT infrastructure needs to be considered when assessing cybersecurity-related risks35,38, i.e., with a network-level risk assessment, since cMDs usually exchange data with multiple other devices and services, some of which are MDs, while some are not. Additionally, the implementation of a new device into an existing infrastructure might introduce vulnerabilities for the whole system.
Recommendations and Future Research
Based on our findings, we propose several recommendations for MD manufacturers on what should be considered when assessing cybersecurity-related risks in a BRA. Table 3 provides an overview of those recommendations. Manufacturers should create an SBOM to facilitate the BRA for regulators. A holistic BRA should always be conducted as part of the overall risk management process, and not only if unacceptable residual risks remain since a combination of risks could have a higher impact than each individual risk. Instead of conducting a BRA only for cybersecurity-related risks and benefits, a holistic BRA should be conducted, considering the overall residual risks including cybersecurity-related ones in the context of clinical benefits12,19–21. In the BRA not only the cybersecurity-related risks for the individual device must be considered, but the impact of the implementation of the device into the IT infrastructure since the device might introduce new vulnerabilities that influence all other devices in the network. If residual risks remain, manufacturers should maintain good communication with patients and healthcare providers describing those risks without delivering a blueprint for an attacker32. The response to security events and the deployment of updates should be guided by a BRA since both could cause new risks for patients20,22,23,29. Since previously unknown vulnerabilities could emerge in cMDs37 that can change the benefit-risk ratio, the BRA must be conducted regularly. For devices after the EOS, the BRA, conducted by the healthcare provider, should consider the benefits and risks of using old devices versus acquiring new ones.
Table 3
Recommendations on how to conduct a BRA that considers cybersecurity-related risks. Besides the recommendation and its description, the phase of the MD lifecycle in which a recommendation is relevant for the BRA is provided.
Recommendation | Description | Phase |
Prepare a Software Bill of Materials (SBOM). | Manufacturers should create an SBOM to facilitate the BRA for regulators. | Pre-market |
Always conduct a BRA | The BRA should always be conducted as part of the overall risk management process and not only if unacceptable residual risks remain, as a combination of risks could have a higher impact than each individual risk. | Pre-market |
Conduct a holistic BRA. | Instead of conducting a BRA for each cybersecurity-related risk individually, a holistic BRA should be conducted, considering the overall residual risks including cybersecurity-related ones, in the context of clinical benefits12,19–21. | Pre-market and Post-market |
Consider the whole IT-infrastructure. | In the BRA not only the cybersecurity-related risks for the individual device must be considered, but the impact of the implementation of the device into the IT-infrastructure since the device might introduce new vulnerabilities that influence all other devices in the network. | Pre-market and Post-market |
Effective communication of residual risks. | If residual risks remain, manufacturers should maintain good communication with patients and healthcare providers describing those risks without delivering a blueprint for an attacker32. | Post-market |
Guiding security event responses and updates by a BRA. | The response to security events and the deployment of updates should be guided by a BRA since both could cause new risks for patients20,22,23,29. | Post-market |
Conduct the cybersecurity BRA regularly. | Since previously unknown vulnerabilities could emerge in cMDs37 that can change the benefit-risk ratio, the BRA must be conducted regularly. | Post-market |
Consider a device’s EOS. | For devices after the EOS, the BRA conducted by the healthcare provider should consider the benefits and risks of using old devices versus acquiring new ones. | Post-market |
While this review and the recommendations laid the groundwork for a better understanding of how to consider cybersecurity in the BRA, further development of methods for the assessment of cybersecurity-related risks and the incorporation of these risks in the BRA process is necessary. The absence of standardised frameworks for the BRA in general and for the evaluation of cybersecurity-related risks likely contributes to the current discrepancies between existing standards, technical documents, and guidance on these themes.
Additionally, the interaction between clinical benefits, cybersecurity-related risks, safety, and security should be explored further. The limitations of current guidance are demonstrated by the following example: A ‘traditional’ pre-digital laser device for surgical interventions at the eyes without any software running on the device and without any interfaces poses only safety risks. However, when adding a digital component, e.g., for a cloud connection, new security and safety risks, partly related to cybersecurity, arise. At this time, it remains unclear how those new risks would impact the security BRA as well as the overall BRA.
Understanding how these elements influence each other will help to develop more effective risk management strategies and a better understanding of what risks are tolerable in innovative MDs. As the technology develops, new attack vectors will emerge, e.g., through quantum computing, artificial intelligence, or previously undetected dormant faults. Research is needed to identify these potential threats and develop innovative mitigation strategies to counter and proactively approach them. This research should not only focus on single devices but should also consider whole infrastructures since MDs and non-MDs often exist in the same system.