ISO 27001: IT Security Management for all Medical Device Manufacturers?

ISO 27001 and information security management systems (ISMSs) are becoming increasingly common topics of debate during ISO 13485 audits. The regulations are the reason for this. And it’s not just because of the Digitale Gesundheitsanwendungen Verordnung (DiGAV), although it has put ISO 27001 into the spotlight for a lot of medical device manufacturers.

Manufacturers have to comply with the regulatory requirements to avoid problems with the regulatory authorities and notified bodies, and to avoid endangering patients. However, they should also avoid unnecessary efforts and costs. So, they should understand:

  • Whether the issue of ISMSs and, as a result, ISO 27001 applies to them at all
  • The requirements that ISO 27001 establishes for ISMSs
  • How they can implement an ISMS (especially if they already have a QMS).

1. Who ISO 27001 affects

a) Regulatory framework

Organizations can take on different roles:

  • Marketers of medical devices
  • Operators of medical devices
  • Service providers for marketers or operators

The regulatory requirements are primarily aimed at marketers and operators:

Role

MDR, IVDR

GDPR

Marketer

Yes (including manufacturing, “authorization”, post-market surveillance)

Only conditionally (like any other company)

Operator

Only conditionally 

Yes (including protection of health data)

Service provider

Only conditionally 

Only conditionally (like any other company. Exception: processors).

The Digitale Gesundheitsanwendungen Verordnung (DiGAV) treats companies both as operators and as manufacturers.

b) Applicability of ISO 27001 for operators

Operators must protect health data through appropriate technical and organizational measures. This is demanded by, among others, the General Data Protection Regulation (GDPR). This usually requires an information security management system (ISMS).

To demonstrate its effectiveness, companies should comply with the requirements set out in relevant standards, such as ISO 27001 or the BSI standards (including BSI 200-2).

Some regulations, such as the DiGAV, even require certification according to one of these standards.

c) Applicability of ISO 27001 for manufacturers

Other standards apply for the development secure safe medical devices

Manufacturers must guarantee the IT security of their devices. This requires a “secure development lifecycle” containing specifications for the development, testing and surveillance of devices that contain software.

There are standards and guidelines on this, such as the IEC 62443 family of standards, ISO 15408 and the notified bodies’ guidelines, which builds on the Johner Institute's guidelines.

 Additional information

You can find a complete list of regulatory requirements for IT security in medical devices and healthcare here.

ISO 27001 is useful with regard to the protection of your own IT and software

There is no direct requirement for an ISMS. However, manufacturers must ensure that the medical device software is free of malicious code at the time of delivery. This, in turn, means that they must protect their own IT. An ISMS is useful for this.

Therefore, ISO 27001 is a useful guide for organizations who “only” act as the manufacturer, but it is not a mandatory requirement.

d) Applicability for service providers

In their role as service providers, companies generally only have to comply with the requirements that apply to all companies and organizations. However, they regularly make their customers (the marketer/manufacturer and operators) meet additional requirements.

If the service provider is a (data) processor, they are subject to requirements similar to those the operator is subject to. This requires an ISMS that is certified according to, e.g., ISO 27001.

e) Summary

Depending on their role, organizations have to meet different regulatory requirements.

Fig. 1: ISO 27001 is particularly relevant for medical device manufacturers who also act as operators and have to guarantee the protection of health data. However, manufacturers must also protect their own information and IT to avoid placing insecure devices on the market.

2. What ISO 27001 requires (for readers in a hurry)

a) There are similarities with an ISO 13485-compliant QM system

ISO 27001 describes the requirements for an information security management system (ISMS) that are comparable to the requirements ISO 13485 establishes for a quality management system. Therefore, you will find some similar elements in ISO 27001 and ISO 13485:

  • Management responsibility (section 5), including the obligation to establish a “policy
  • Requirement to provide the necessary resources (particularly competent personnel – from section 7.1) and manage information and documentation (from section 7.3)
  • Requirement to carry out a management review and internal audits (section 9)
  • Obligation to continual improvement (section 10), including corrective and preventive actions (CAPA)
  • Risk management process (including section 6). However, the risks are defined differently
Fig. 2: ISO 27001 has ten sections and a normative annex. Some sections are similar to ISO 13485, others are specific to IT security. (click to enlarge)

b) There are requirements specific to IT security

Requirements in Annex A

In its normative Annex A, ISO 27001 describes several specific requirements, objectives and measures.

Fig. 3: Annex A of ISO 27001 describes specific requirements, objectives and measures (click to enlarge)

For example, in Annex A 9.2, the standard requires user access management. This must achieve the objective of ensuring “authorized user access and to prevent unauthorized access to systems and services .”

It defines five measures for this. The first one is:

“A formal user registration and deregistration process shall be implemented to enable the assignment of access rights”

For a lot of manufacturers who develop their own software, Annex A.14  is of particular interest because, among other things, it establishes requirements for “security in development and support processes.”

Annex A calls for numerous other verifiable measures:

  • Access to information and IT systems must be regulated
  • Data must be backed up
  • The security of networks must be increased by suitable segregation
  • Electronic messages must be protected
  • The administration of cryptographic controls must be regulated

It is ISO 27002, not ISO 27001, that provides specific advice on how these requirements can be met. More on this in section 4 of this article.

Requirements in the “main part”

If, and to what level of detail, organizations implement the requirements of Annex A depends on their individual protection requirements and their “policies.”

ISO 27001, therefore, requires the risks to be systematically identified and evaluated on the basis of previously defined risk acceptance criteria. Based on this evaluation, manufacturers are obliged to define and implement the measures and to regularly monitor their effectiveness (see Fig. 4).

Fig. 4: ISO 27001 requires an ongoing process for the analysis, evaluation and control of IT security risks.

3. How you can implement an ISO 27001-compliant ISMS

Don’t introduce a second management system

The MDR and IVDR require all medical device manufacturers to have a quality management system (QMS), generally a certified one (according to ISO 13485). Therefore, manufacturers should not establish a second management system, instead they should add additional aspects to their existing QMS.

Step 1: defining the objectives and scope

Organizations should be clear about their objectives:

  • Meeting regulatory requirements, avoiding regulatory hassle
  • Meeting customer requirements
  • Obtaining certification
  • Increasing the security of the information and IT systems at their organization
  • Increasing the safety of their devices
  • Being able to communicate more effectively in terms of marketing (e.g., with certification)
  • Understanding the status of their own organization with regard to IT security
  • Reducing chaos in their own organization

When considering their objectives, companies should also gain clarity about:

  • Which information and information technology they have to protect
  • What the financial, legal, and other consequences are and, therefore, what risks exist if this protection is not adequately put in place

As an additional outcome of this initial analysis, the organization should define a future ISMS. This would look at, for example:

  • Locations
  • Organizational units
  • Information, data
  • Infrastructure, information technology
  • The organization’s own device

Step 2: performing a gap analysis

Once organizations have this understanding, they can carry out a gap analysis, i.e. get an idea of which ISO 27001 requirements have already been implemented in full, which ones have been implemented partially and which ones haven’t been implemented at all.

In most cases, companies or their service providers use Annex A or their own checklists to do this.

Step 3: establishing and implementing measures

It is now time to establish appropriate measures based on these results. Typical measures include:

  • Expanding existing process and work instructions, e.g., for:

    • Internal audits
    • Onboarding new employees
    • Software development

  • Creating missing process and work instructions, e.g., for:

    • Reporting security incidents
    • Access controls to systems and rooms
    • Disposing of data carriers
    • Using passwords

  • Adapting organizational structures, e.g.:

    • Creating new roles or adapting existing roles
    • Creating new or different responsibilities, e.g., for monitoring systems
    • Hiring people and training staff

  • Improving technical structures

    • Purchasing new hardware or software
    • Re-configuring existing systems
    • Segregating networks
    • Implementing monitoring systems

Step 4: performing an internal audit and management review

Companies should regularly carry out internal audits to monitor the progress and effectiveness of the measures. The internal audits required by the standard are a useful way of doing this.

In addition, management must regularly (at least annually) make sure that the entire information security management system is working effectively.

Both the internal audits and management evaluation are mandatory requirements for the next step, certification.

Step 5: requesting and carrying out certification

Make sure that you only ask accredited certification bodies for quotes. In most cases, these bodies are cheaper and more readily available than the notified bodies.

The procedure for the certification audit is similar to that of the QM audits.

Summary

The path to a certified ISMS is similar to the path to a certified QMS. However, medical device manufacturers usually already have a QMS in place, so there is a greater understanding of these management systems.

A lot of processes, such as the processes for document control, management review, and corrective and preventive actions, already exist.

Therefore, the gap analysis and Annex A are important tools for planning the implementation of your own ISMS.

4. What else should you know about the ISO 27000 family

a) ISO 27002 helps implement ISO 27001

ISO 27002 acts as a guideline for the implementation of ISO 27001. In contrast to ISO 27001, organizations cannot be certified according to ISO 27002.

ISO 27002 provides more concrete guidance. For example, in Annex A 12.3.1, ISO 27001 requires:

Back-up copies of information, software and system images shall be taken and tested regularly in accordance with the agreed backup policy.

ISO 27002 provides guidance on this. So, backups should:

  • be stored at a location sufficiently far away
  • protected against physical influences
  • be encrypted and
  • contain the entire system and not just its data.

b) ISO 27799 is specific to the healthcare sector

ISO 27799 applies specifically to the healthcare system. This standard:

  • Adds some requirements, e.g., the requirement for encryption when backing up health data
  • Tightens existing requirements, e.g., replaces “should” with “must”
  • Gives specific explanations and instructions

Certification according to ISO 27799 is not possible either.

6. Summary and conclusion

a) IT security concerns manufacturers and operators

Organizations that process health data must have an information security management system in order to demonstrate compliance with the regulatory requirements for technical and organizational measures. A lot of DiGA providers are such organizations.

Medical device manufacturers must guarantee the IT security of their devices. This in turn requires these devices (particularly their software and the development and production environment) to also be secure. An ISMS helps to ensure that this protection is in place.

b) The ISO 27000 family of standards is helpful

The ISO 27000 family of standards sets out documented and generally easy-to-understand requirements for information security management systems (especially ISO 27001) and gives concrete advice for implementation (especially ISO 27001).

c) Manufacturers must meet the preconditions

Without a clear “management commitment”, an organization will not be able to build and successfully run and ISMS in the long term. The fish rots from the head in this context as well.

The following are also vital for success:

  • Investment in employee skills
  • Raising awareness of the importance of IT security
  • Smooth communication between the team and with external parties.

d) ISMS should only be understood as a never-ending journey

Meeting the requirements of the standard requires a lot of work. Companies should be aware that they are setting off on a journey that never ends and that involves continuous time and effort, but one that increases IT security.

But even this mountain of work can be managed in small, iterative and incremental steps. An important step in this process is the gap analysis, which provides an overview of the nature and scope of this work.

Implementing an information security management system according to ISO 27001 or other guidelines is not a rocket science. Thousands of companies have already successfully gone down this path. Manufacturers and operators of medical devices and IT systems who process health, in particular, should or, in some cases, have to go down this path.


The Johner Institute helps manufacturers of medical devices to introduce QM systems and ISO 13485 and ISO 27001-compliant ISMS to meet, for example, the prerequisites for certification and inclusion of their devices in the DiGA directory. Get in contact with us.

Starter-Kit_rot_dunkel

A quick overview: Our

Starter-Kit

Learn More Pfeil_weiß
blog_rot_dunkel

Always up to date: Our

Institutejournal

Learn More Pfeil_grau