ISO 27001 and information security management systems (ISMSs) are becoming increasingly common topics of debate during ISO 13485 audits. The regulations are the reason for this. And it’s not just because of the Digitale Gesundheitsanwendungen Verordnung (DiGAV), although it has put ISO 27001 into the spotlight for a lot of medical device manufacturers.
Manufacturers have to comply with the regulatory requirements to avoid problems with the regulatory authorities and notified bodies, and to avoid endangering patients. However, they should also avoid unnecessary efforts and costs. So, they should understand:
Organizations can take on different roles:
The regulatory requirements are primarily aimed at marketers and operators:
Yes (including manufacturing, “authorization”, post-market surveillance)
Only conditionally (like any other company)
Yes (including protection of health data)
Only conditionally (like any other company. Exception: processors).
The Digitale Gesundheitsanwendungen Verordnung (DiGAV) treats companies both as operators and as manufacturers.
Operators must protect health data through appropriate technical and organizational measures. This is demanded by, among others, the General Data Protection Regulation (GDPR). This usually requires an information security management system (ISMS).
To demonstrate its effectiveness, companies should comply with the requirements set out in relevant standards, such as ISO 27001 or the BSI standards (including BSI 200-2).
Some regulations, such as the DiGAV, even require certification according to one of these standards.
Manufacturers must guarantee the IT security of their devices. This requires a “secure development lifecycle” containing specifications for the development, testing and surveillance of devices that contain software.
There are standards and guidelines on this, such as the IEC 62443 family of standards, ISO 15408 and the notified bodies’ guidelines, which builds on the Johner Institute's guidelines.
You can find a complete list of regulatory requirements for IT security in medical devices and healthcare here.
There is no direct requirement for an ISMS. However, manufacturers must ensure that the medical device software is free of malicious code at the time of delivery. This, in turn, means that they must protect their own IT. An ISMS is useful for this.
Therefore, ISO 27001 is a useful guide for organizations who “only” act as the manufacturer, but it is not a mandatory requirement.
In their role as service providers, companies generally only have to comply with the requirements that apply to all companies and organizations. However, they regularly make their customers (the marketer/manufacturer and operators) meet additional requirements.
If the service provider is a (data) processor, they are subject to requirements similar to those the operator is subject to. This requires an ISMS that is certified according to, e.g., ISO 27001.
Depending on their role, organizations have to meet different regulatory requirements.
ISO 27001 describes the requirements for an information security management system (ISMS) that are comparable to the requirements ISO 13485 establishes for a quality management system. Therefore, you will find some similar elements in ISO 27001 and ISO 13485:
In its normative Annex A, ISO 27001 describes several specific requirements, objectives and measures.
For example, in Annex A 9.2, the standard requires user access management. This must achieve the objective of ensuring “authorized user access and to prevent unauthorized access to systems and services .”
It defines five measures for this. The first one is:
“A formal user registration and deregistration process shall be implemented to enable the assignment of access rights”
For a lot of manufacturers who develop their own software, Annex A.14 is of particular interest because, among other things, it establishes requirements for “security in development and support processes.”
Annex A calls for numerous other verifiable measures:
It is ISO 27002, not ISO 27001, that provides specific advice on how these requirements can be met. More on this in section 4 of this article.
If, and to what level of detail, organizations implement the requirements of Annex A depends on their individual protection requirements and their “policies.”
ISO 27001, therefore, requires the risks to be systematically identified and evaluated on the basis of previously defined risk acceptance criteria. Based on this evaluation, manufacturers are obliged to define and implement the measures and to regularly monitor their effectiveness (see Fig. 4).
The MDR and IVDR require all medical device manufacturers to have a quality management system (QMS), generally a certified one (according to ISO 13485). Therefore, manufacturers should not establish a second management system, instead they should add additional aspects to their existing QMS.
Organizations should be clear about their objectives:
When considering their objectives, companies should also gain clarity about:
As an additional outcome of this initial analysis, the organization should define a future ISMS. This would look at, for example:
Once organizations have this understanding, they can carry out a gap analysis, i.e. get an idea of which ISO 27001 requirements have already been implemented in full, which ones have been implemented partially and which ones haven’t been implemented at all.
In most cases, companies or their service providers use Annex A or their own checklists to do this.
It is now time to establish appropriate measures based on these results. Typical measures include:
Companies should regularly carry out internal audits to monitor the progress and effectiveness of the measures. The internal audits required by the standard are a useful way of doing this.
In addition, management must regularly (at least annually) make sure that the entire information security management system is working effectively.
Both the internal audits and management evaluation are mandatory requirements for the next step, certification.
Make sure that you only ask accredited certification bodies for quotes. In most cases, these bodies are cheaper and more readily available than the notified bodies.
The procedure for the certification audit is similar to that of the QM audits.
The path to a certified ISMS is similar to the path to a certified QMS. However, medical device manufacturers usually already have a QMS in place, so there is a greater understanding of these management systems.
A lot of processes, such as the processes for document control, management review, and corrective and preventive actions, already exist.
Therefore, the gap analysis and Annex A are important tools for planning the implementation of your own ISMS.
ISO 27002 acts as a guideline for the implementation of ISO 27001. In contrast to ISO 27001, organizations cannot be certified according to ISO 27002.
ISO 27002 provides more concrete guidance. For example, in Annex A 12.3.1, ISO 27001 requires:
Back-up copies of information, software and system images shall be taken and tested regularly in accordance with the agreed backup policy.
ISO 27002 provides guidance on this. So, backups should:
ISO 27799 applies specifically to the healthcare system. This standard:
Certification according to ISO 27799 is not possible either.
Organizations that process health data must have an information security management system in order to demonstrate compliance with the regulatory requirements for technical and organizational measures. A lot of DiGA providers are such organizations.
Medical device manufacturers must guarantee the IT security of their devices. This in turn requires these devices (particularly their software and the development and production environment) to also be secure. An ISMS helps to ensure that this protection is in place.
The ISO 27000 family of standards sets out documented and generally easy-to-understand requirements for information security management systems (especially ISO 27001) and gives concrete advice for implementation (especially ISO 27001).
Without a clear “management commitment”, an organization will not be able to build and successfully run and ISMS in the long term. The fish rots from the head in this context as well.
The following are also vital for success:
Meeting the requirements of the standard requires a lot of work. Companies should be aware that they are setting off on a journey that never ends and that involves continuous time and effort, but one that increases IT security.
But even this mountain of work can be managed in small, iterative and incremental steps. An important step in this process is the gap analysis, which provides an overview of the nature and scope of this work.
Implementing an information security management system according to ISO 27001 or other guidelines is not a rocket science. Thousands of companies have already successfully gone down this path. Manufacturers and operators of medical devices and IT systems who process health, in particular, should or, in some cases, have to go down this path.
The Johner Institute helps manufacturers of medical devices to introduce QM systems and ISO 13485 and ISO 27001-compliant ISMS to meet, for example, the prerequisites for certification and inclusion of their devices in the DiGA directory. Get in contact with us.