An Overview of Cybersecurity Regulations and Standards for Medical Device Software

This paper discusses current cybersecurity regulations and standards for medical device software set by government agencies and agencies developing industry and international standards such as the FDA (Food and Drug Administration), CFDA (China Food and Drug Administration), ISO (International Organization for Standardization), IEC (International Electrotechnical Commission), UL (Underwriters Laboratories), and others. The concepts described within this paper can be utilized by medical device manufacturers in order to establish a cybersecurity program as part of their quality management systems. In general, there are three complementary ways based on the NIST (National Institute of Standards and Technology) cybersecurity framework that can be used to remove gaps in the organization's cybersecurity. The first way focuses on designing software products that take cybersecurity into account (i.e., prevention). The second way is to perform security and penetration testing and to apply other cybersecurity controls to reduce attacks and vulnerabilities that could be exploited (i.e., detection). The third way emphasizes maintenance plan in case of a cyberattack (i.e., response and recovery).