Navigating the evolving landscape of cybersecurity in medical devices

Cybersecurity in Medical Devices | Hydrix

Author: Rian Veale

Cybersecurity has become a pivotal concern in the realm of medical devices, driven by the rapid advancements in technology and the increasing connectivity of these devices. This connectivity, while offering numerous benefits such as remote monitoring and data export, introduces significant risks that can compromise patient safety and privacy.

As regulatory bodies worldwide enhance their expectations and vigilance regarding cybersecurity, it is crucial for medical device manufacturers to adapt and integrate robust cybersecurity measures into the device design. Considering cybersecurity measures needs to be integrated throughout the entire device lifecycle. This may seem like a significant change to existing practices however, there’s no need to panic! With the right guidance and expertise, these challenges can be effectively managed, ensuring that devices remain both safe and compliant.

Why cybersecurity matters for medical devices  

Cybersecurity in Medical Devices Consultants and Developers

Historically, the primary focus for medical device manufacturers was on device operational safety and efficacy. However, as devices have become more interconnected, cybersecurity has emerged as a critical component of overall device safety. The risks associated with cybersecurity breaches in medical devices range from denial of service, where a device becomes inoperable, to more severe consequences such as altered device functionality that can harm patients or loss of sensitive personal data.

By way of example, consider a scenario where a medical device like an insulin pump or a pacemaker is hacked. The attacker could potentially alter the device’s settings, leading to dangerous health outcomes for the patient. In addition, the unauthorised access and dissemination of personal health records can lead to significant privacy breaches. These risks are real and it’s important to approach them with a sense of preparedness rather than trepidation.

Regulatory responses to cybersecurity challenges 

Regulatory bodies globally have recognised the increasing importance of cybersecurity and are actively updating their guidance documents to address these risks. Medical device manufacturers need to aware of the new guidance in order to meet the regulatory requirement of devices being safe and effective, and to conform to current regulations.

In September 2023, the FDA released their final guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, emphasising that cybersecurity is integral to the safety and effectiveness of medical devices containing software. This comprehensive document underscores common-sense practices and is designed to ensure that cybersecurity is embedded throughout the total product lifecycle—from design and development, manufacturing, testing, to post-market monitoring activities.

The FDA’s guidance necessitates that manufacturers provide extensive documentation showing how cybersecurity risks have been assessed and addressed as part of their premarket submission. This includes demonstrating a secure lifecycle approach, where cybersecurity measures are integrated from the design phase and maintained through market release and beyond. The extent of the cybersecurity assurance required is based on the device’s potential impact on patient health and privacy.

Given the importance of cybersecurity as it relates to medical device safety and effectiveness, the USA FDA  has already rejected some premarket applications where cybersecurity concerns and mitigations were not well addressed.

Option 1C

In March 2024, a draft updated guidance was issued, specifying that any device with software or connectivity capabilities falls under these cybersecurity requirements and proposing to add sections to the September 2023 guidance. Included was clarification on who is required to comply, the types of devices, and the documentation recommended to submit in premarket applications to comply with section 524B of the FD&C Act to ensure cybersecurity of medical devices.

The broad definition of all devices containing software or programmable logic included in the draft guidance ensures that even devices with minimal connectivity or even with the potential to have connectivity during its lifetime, are covered.  As software will require updates at some stage during its lifetime, then software as a medical device and software incorporated in medical devices will fall under the cybersecurity requirements. So, devices do not need to be connected to the internet in order to be classified as a cyber device – as long as the software is updated, collects data, or downloads data, it will be subject to cybersecurity requirements. The emphasis is not merely on the technical details like encryption algorithms but also on practical aspects such as access control, update mechanisms, and incident response plans.

Cybersecurity is a global concern, with regulators expecting to see how cybersecurity has been embedded into the device and how it will be addressed through the whole product life cycle.  Add to this, the privacy laws protecting the leaking of patient data, such as for example the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations of the USA, and the General Data Protection Regulation (GDPR) of the EU, which demonstrates that medical device cybersecurity has become as critical as ever.

Key components of cybersecurity compliance 

Option 1

One of the most significant additions to the regulatory framework is the concept of a Software Bill of Materials (SBOM). The SBOM acts like a fingerprint for the software components within a medical device, allowing manufacturers to track and monitor known vulnerabilities effectively. By maintaining an SBOM, manufacturers can proactively identify and address vulnerabilities before they are exploited, ensuring ongoing device security.

Manufacturers are also required to implement and maintain processes and procedures that provide reasonable assurance of cybersecurity. This includes plans for regular software updates and emergency patches, reflecting the evolving nature of cybersecurity threats. Additionally, instructions for use must now encompass cybersecurity guidelines, educating users on recognising and responding to potential compromises.

Moving forward with confidence 

The integration of cybersecurity into the regulatory framework for medical devices marks a significant evolution in ensuring patient safety and privacy. While the increased emphasis on cybersecurity introduces new challenges, and effort, it also offers opportunities for innovation and improved patient outcomes. By adopting a proactive, comprehensive approach to cybersecurity, manufacturers can not only comply with regulatory requirements but also enhance the overall trust and reliability of their devices.

As the landscape continues to evolve, staying informed and adaptable will be key. With ongoing developments and updates from regulatory bodies, the medical device industry must prioritise cybersecurity as an integral component of design, development, and maintenance, ensuring that devices are both safe and secure in an increasingly connected world.

This expanded view demands that system engineers, software developers, and manufacturers adopt new standards, updated quality systems, and practices to meet regulatory expectations.

In summary, don’t panic!

Cybersecurity in Medical Devices Leading Experts - Regulatory Services

From our experience in cybersecurity remediation and integration, we have learned that a careful and thoughtful approach is crucial for ensuring success. Although we are all still early in this journey, we have gathered a few valuable insights that we believe are worth sharing:

Integrate early into design and development:

Neglecting cybersecurity in medical devices can expose manufacturers and patients to significant risks with lapses potentially leading to catastrophic outcomes such as affecting multiple patients simultaneously. There is also significant risk of the device being rejected by regulatory bodies resulting in loss of revenue, together with the additional burden of product remediation costs.

Cybersecurity must be integrated into the device development and design process throughout the entire product lifecycle. Implementing cybersecurity as an afterthought can be both ineffective and risky.

Apply appropriate consideration during changes:

When modifying existing products, make cybersecurity a key consideration. Remediation projects often require addressing foundational gaps, something akin to renovating a house rather than rebuilding it.

Ongoing evolution and adaptation:

The approach to cybersecurity in medical devices continues to evolve, with new methods and standards being developed across different geographies. Over the next few years, cybersecurity practices will become standardised, making compliance an integral part of the device development process. While the increased focus on cybersecurity presents challenges, it also offers opportunities to improve patient safety and product integrity.

By viewing cybersecurity not as an additional burden but as a critical aspect of overall safety and product quality, medical device developers can integrate security measures seamlessly into the design and development process. This proactive approach ensures that devices are resilient against cyber threats from the outset, rather than retroactively addressing vulnerabilities.

Emphasising cybersecurity as a fundamental component of product quality helps to foster a culture of security within the development team, leading to more robust and secure medical devices. Additionally, this perspective can streamline compliance with regulatory requirements, reduce the risk of costly breaches, and ultimately protect patient health and trust in medical technologies.

By understanding and addressing these key points, stakeholders in the medical device industry can better navigate the complexities of cybersecurity compliance and ensure the safety and efficacy of their products.

About the author

Rian Veale   |   Principal Software Engineer

Rian is a Principal Software Engineer at Hydrix with over 25 years’ experience in product development. His expertise spans a wide range of areas, including tactical radio systems, communications protocols, security, safety-critical medical devices (Class I/II/III), HF/VHF/LF/UHF radio communications and signal processing, hard real-time critical systems software design, large-scale mission-critical infrastructure such as online banking, electronics and embedded software, and regulated software development.

ADLM 2024 | Hydrix