The current approach used by medical device and system manufacturers is mainly safety-by-design. This approach is about protection against threats that originate within a system (e.g. system failures) as accidental events. It leads to design limitations of medical devices, which usually do not specifically - or poorly - include security-engineering aspects related to cyber risks.
The scenario involved developing a new version of the RINICOM device called PRIME IoT remote health monitoring system, which was being updated to include risk prediction algorithms. The CST was used to perform a self-assessment throughout the design process of the new features and helped RINICOM verify the compliance rate with standards and regulations through the entire process. The regulations and standards in scope were as follows: GDPR, ISO 27001, ISO 27799:2008, IEC 80001-1:2010, ISO 13485:2016, MDR (REGULATION (EU) 2017/745), ISO 14971, IEC 62304:2006.
Using CST would improve the overall performance of the conformity assessment by making the assessment easier, and also reducing time and increasing the accuracy in identifying compliance/non-compliance.
"This is a very useful tool which helped us to identify and improve our design and general approach to the design of medical devices. Our product requires certification to certain standards. CST provided a more in-depth analysis of our tool than we have done previously. Not all aspects of the assessment are operationally relevant, but will still utilized by RINICOM in future upgrades and new product developments." RINICOM Ltd CEO