Medical device HIPAA compliance in encryption

#1
Hi,
I hope it's ok to ask here..
My company is making a diagnostic medical device that uses Wi-Fi, so it needs to be encrypted, there is no physical risk to the user if the device is hacked or stps working.

Does the encryption need to have a different key for each device or can we use a universal key for all the devices?
I couldn't find the answer in the HIPAA compliance or in the FDA's "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices "
 

yodon

Staff member
Super Moderator
#2
UL 2900 (FDA recognized) says that "10.4 The product shall use a separate cryptographic key for each service, operation, or function (e.g. data at rest encryption, transport layer encryption, operator role authentication, remote software upgrade image integrity). The vendor shall clearly document the intended purpose of each key used by the product. Rationale shall be documented in accordance with Vendor Product Risk Management Process, Section 12." I don't see anything about a different key per device, though.

I would suggest that, whatever decision you make, support it with the risk analysis.

Note that standard has a list of acceptable security functions and one is:

k) NIST FIPS 140-2, Annex D: Approved Key Establishment Techniques, ref. [23].

That might be a source that gives more information (I don't have a copy).
 

colinkmorgan

Managing Director
#3
While there may not be an explicit requirement for using unique keys per device, there are definitely many factors to consider around this.
  • Where are the keys being stored? Are they stored within the same device and if so where?
  • What type of encryption are you using? Symmetric, Asymmetric?
  • What type of information is within the device and is that being protected? Eg. you mention WiFi, how are you protecting WiFi credentials of certificates?
  • If this diagnostic device is going to be inside of a clinical environment (e.g. hospital) there is more then just safety risk to consider, as if the device is hacked, it could be used as a pivot point into the hospital and create much larger impact
  • Is there any intellectual property you want to protect that is in the device? Source code, configuration files, etc.
Best practice is to use per-device encryption keys for device-to-device (or cloud) authentication and for data protection, as it minimizes the potential impact to a single device rather then a fleet of devices.

As the other poster mentioned, whatever path you take just be sure to document the decision accordingly. E.g. if you chose a universal key, this should be documented in your cybersecurity risk assessment as a known residual risk, with your mitigations and scoring identified.

Colin Morgan, CISSP, CISM, GPEN
 
Last edited:
Thread starter Similar threads Forum Replies Date
C How medical device manufacturers are implementing standards like GDPR and HIPAA Other ISO and International Standards and European Regulations 5
D HIPAA and GDPR applies? Medical therapy device ISO 13485:2016 - Medical Device Quality Management Systems 0
S Obsolescence of the Medical Device in Various Countries Other Medical Device Related Standards 0
A IT-NETWORK in PEMS Sub-Clause 14.13 for Medical Device IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
G Medical Device - Borderline/Definition EU Medical Device Regulations 0
S Medical device equipment calibration Qualification and Validation (including 21 CFR Part 11) 1
P European Medical Device Nomenclature (EMDN) and CND EU Medical Device Regulations 3
S Reseller Request to Change UPC on Medical Device via Re-labeling Medical Device and FDA Regulations and Standards News 5
D Hand Held medical device - power supply requirements IEC 60601 - Medical Electrical Equipment Safety Standards Series 7
E Medical device applicability to WEEE Other ISO and International Standards and European Regulations 2
Fjalar Spare parts for discontinued MDD compliant class I medical device EU Medical Device Regulations 4
H Medical Device Label Acceptance Criteria Manufacturing and Related Processes 4
J Calling a medical device a medical device (when it might not be one..) UK Medical Device Regulations 29
B Regulatory Affairs Certification (RAC) Book - Fundamentals of Medical Device Regulations Medical Device and FDA Regulations and Standards News 0
N Medical device name in different countries EU Medical Device Regulations 4
V Medical Device Literature Translation Software ISO 13485:2016 - Medical Device Quality Management Systems 1
Z Over The Air (OTA) updates for medical device Other US Medical Device Regulations 1
H Tukery Medical Device Regulstion Other Medical Device Regulations World-Wide 0
M Medical device certificate in Australia - ARTG certificate Other Medical Device Regulations World-Wide 0
Q Software as a medical device vs software not sold as medical device: local regulations for sale? EU Medical Device Regulations 4
H Medical device Product Registration Registrars and Notified Bodies 2
A Can a power Supply be an accessory to a medical device, if it is an 'off-the-shelf' product. IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
A Medical device labelling Date of manufacture US Food and Drug Administration (FDA) 2
W Non Sterile Medical Device Environmental Tests Other Medical Device Related Standards 4
A Clinical assessment sample size - Medical device Class IIb implantable (93/42 directive) EU Medical Device Regulations 2
K 25-year lifetime of medical device - document storage period EU Medical Device Regulations 1
K Relabeling an existing medical device in the field? Other US Medical Device Regulations 6
J Should a Class 1 medical device with an option to measure body weight be considered Class 1m? EU Medical Device Regulations 0
A Reliable sources for following EU medical device regulatory EU Medical Device Regulations 0
T IVDR Medical device software CE Marking (Conformité Européene) / CB Scheme 8
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
J Requirements as a Distributor for Incoming Inspection of Purchased Finished Medical Device Medical Device Related Regulations 0
S Microwave medical waste disinfectant - A medical device or not? Other ISO and International Standards and European Regulations 3
S Registration of Medical Device in Hong Kong - labeling requirements Other Medical Device Regulations World-Wide 1
V Software as medical device (SaMD) replicated for multiple clients through APIs IEC 62304 - Medical Device Software Life Cycle Processes 5
M Is the output of a device a Medical Device? IEC 62304 - Medical Device Software Life Cycle Processes 5
P Do we need to retrospectively use the "MD" symbol (indicating device is a medical device) on labels, e.g. finished devices within expiration date? EU Medical Device Regulations 2
L Medical device registration in Iran Other Medical Device Regulations World-Wide 0
H EU CE marking for Medical Device Class I EU Medical Device Regulations 2
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
JoCam Certified QMS for MDR - Class I medical device manufacturers EU Medical Device Regulations 4
R Compatibility studies - Medicinal Product and Medical Device Other ISO and International Standards and European Regulations 0
K CE Marking Class 1 (Non sterile) medical device CE Marking (Conformité Européene) / CB Scheme 3
J Medical Device Regulations in Lebanon? Other Medical Device Regulations World-Wide 2
J Calibration cycle for monitoring & measuring tools used in medical device manufacturing General Measurement Device and Calibration Topics 5
S Medical Device MRI Compatibility EU Medical Device Regulations 3
A ISO 13485 for Class 1 Medical Device ISO 13485:2016 - Medical Device Quality Management Systems 7
R Components to a finished medical device, MDR requirements Other US Medical Device Regulations 1
J Warnings/Cautions in Medical Device IFU Medical Device and FDA Regulations and Standards News 4
M V&V phase: Justification of acceptance criteria (statistical method ) - (Medical Device) Design and Development of Products and Processes 2

Similar threads

Top Bottom