This short article is meant to establish a background for the discussion of safety and regulatory concerns of internet-connected medical devices. In the future, the MAPS MedTech Focus Area Working Group (FAWG) will offer additional resources and guidance. (Please see recent MedTech resources listed at the bottom of this post.)
John Giantsidis, JD, MEng, President of CyberActa, Inc.
Ajit Patwardhan, MD, MS, MBA, Medical Safety Officer at Olympus Surgical Technologies of America
The article represents independent views / opinions of the authors and does not necessarily reflect the opinions of their employers
Connectivity and digitization of medical device technologies can improve device functionality and benefit. However, the connection of medical devices to networks or the internet exposes them to increased cyber threats that can potentially lead to an increased risk of harm to patients. Threats might include:
- denial of intended service or therapy
- alteration of device function to directly cause patient harm
- alteration of personal health data
- loss of privacy
Additionally, there are fundamental security interdependencies between medical devices and the networks they connect to. Cybersecurity for medical devices must be considered as part of a layered, holistic security ecosystem. The cybersecurity landscape is constantly evolving. Assessment and management of cybersecurity risks that could compromise the health and safety of a patient, user, or any other person, as with other risks for medical devices, is the responsibility of the manufacturer. Users, consumers, and patients using connected medical devices are to be fully informed about the potential cybersecurity risks these devices may expose them to take proactive action to protect their devices and networks, and act responsibly online. Alongside receiving information on the device, consumers are encouraged to ask their health professional questions to help build their understanding of using the device safely and securely. The FDA is slowly transitioning from a voluntary to the mandatory regulatory framework and in October 2020 issued another request for information. Now, medical device cybersecurity is the norm in Europe (EU MDR), so any company selling in Europe must consider these regulations as part of their overall safety schema. Manufacturers are required to address cybersecurity risks during the design and development process, including:
- general considerations, such as the development approach; administration protocols; application of standards; risk management strategies; infrastructure, manufacturing and supply chain management; and provision of information for users;
- technical considerations, such as cybersecurity penetration testing; design architecture; operating platform security; emerging software; and Trusted access and content provision
- environmental considerations for the device’s intended use, such as connecting to networks, and uploading or downloading data
- physical considerations, such as mechanical locks on devices and interfaces, physically securing networks, waste management (preventing the capture of sensitive paper-based information)
- social considerations, such as designing out or minimizing social-engineering threats (e.g., phishing, impersonation, baiting, tailgating)
Manufacturers and sponsors are required to continually assess and act on medical device cybersecurity risk. The cybersecurity threat landscape changes in short periods, therefore a compliant risk management strategy will demonstrate how medical device cybersecurity risk is reviewed and updated. Cybersecurity events that do not appear to immediately impact a medical device are still part of the cybersecurity threat landscape and will need to be considered as part of a compliant medical device cybersecurity risk management strategy.
The expected approach of medical device cybersecurity is that, similar to other risks, failure to effectively minimize or manage cybersecurity risk can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.