Medical devices and why cybersecurity is non-negotiable

Regulatory authorities have long expected medical device companies to manage the cybersecurity of their products effectively.

Published on:
September 12, 2024

This article was originally published in New Electronics.

To aid this effort, the Food and Drug Administration (FDA) issued its first guidance on medical device cybersecurity in 2005, focusing on networked medical devices with off-the-shelf (OTS) software.

Still, over the years, the FDA’s premarket guidance has evolved significantly, expanding from a 9-page document in 2014 to a comprehensive 57-page guidance in 2023. This evolution alone showcases the increasing importance of cybersecurity in the medical device industry.

The 2023 Consolidated Appropriations Act, however, transformed the FDA’s traditionally informal recommendations on medical device cybersecurity into formal, law-based requirements. Coupled with the FDA’s 2023 updated guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, this development signifies heightened standards in medical device cybersecurity. Together, these changes represent a significant advancement in the regulatory landscape for medical device cybersecurity.

Ensuring medical devices remain ‘cyber safe’

As initiatives from around the world demonstrate, these expectations are not exclusive to the US.  For instance, the EU’s 2022/2555 Directive on the Security of Network and Information Systems (NIS2) now requires manufacturers of medical products, including chemicals (APIs), pharmaceuticals, and medical devices, to implement comprehensive cybersecurity risk management measures and adhere to reporting requirements.

Then, in Australia, the Therapeutic Goods Administration (TGA) issued the 2022 Medical Device Cybersecurity Guidance for Industry, which mandates a total product lifecycle (TPLC) approach to cybersecurity. This approach requires manufacturers to incorporate penetration testing, threat modelling, and other proactive measures into their risk management assessment process.

In Singapore, the Cybersecurity Labelling Scheme for Medical Devices (CLS-MD) introduces a rating system for medical devices based on their cybersecurity provisions. Under this scheme, medical devices are assessed and labelled according to their cybersecurity robustness, providing valuable information to the general public and healthcare providers. This labelling system enables informed purchasing decisions, allowing stakeholders to identify and select medical devices that meet high cybersecurity standards.

These global initiatives reflect a growing international consensus on the importance of robust cybersecurity measures in the medical device industry.

The advantages of interconnectedness are not without weaknesses

When a medical device includes software, especially if it can connect electronically to other devices or networks, prioritising cybersecurity becomes crucial. The interconnectedness of medical devices in the modern medical landscape, facilitated by software-enabled smart medical devices and a shift towards an Internet of Things (IoT) undeniably offers the benefit of convenient, timely care.

For example, patients with heart implants can be monitored remotely, reducing the need for frequent visits to the doctor. Similarly, new tools for managing blood sugar levels allow glucose metres and insulin pumps to interact seamlessly. Hospitals are also adopting more interconnected devices to enhance care and efficiency by sharing data seamlessly. However, at the same time, this also makes medical devices more vulnerable to cyberattacks and security breaches if there are weak links in healthcare systems.

The heightened risks stem from malicious actors targeting healthcare organisations to exploit vulnerable devices, access patient records, disrupt operations, demand ransoms, or infiltrate networks. For instance, devices such as insulin pumps, heart pacemakers, and wearables face heightened vulnerability due to their real-time tracking of patient data and immediate transmission of information to patients and doctors. As a result, robust cybersecurity measures are essential to protect these critical devices and ensure patient safety.

Practical implications for developers

The FDA’s cybersecurity guidance and regulatory scope encompass a wide range of device software functionalities, including data storage, transfer, and analysis. Any medical or diagnostic device with upgradable software, a USB port, or even compact disc technology is now classified as a connected device and falls under the new regulations.

Both the FDA and the UK’s NCSC-Secure Design Principles stress the importance of manufacturers taking into account the broader ecosystem and interconnectedness of devices.

Rather than operating in isolation, security objectives should be integrated across the entire system architecture of medical devices.

Medical Device Manufacturers (MDMs) should perform threat modelling on devices well in advance of their release to promptly identify security threats and vulnerabilities, evaluate them, and prioritise them to ensure that the devices are secure before they are released to the market. Creating a prioritised list of key concerns enables teams to effectively tackle and resolve critical issues prior to submission. Moreover, it establishes a documented log of security considerations that teams can systematically address in future iterations.

It’s also important to address systemic issues to avoid the need for singular fixes later. This may involve revising standard operating procedures, aligning the quality management system, and developing comprehensive security strategies that span the entire development lifecycle, meeting both cybersecurity standards and regulatory requirements.

Ultimately, failure to meet the explicit criteria set by the FDA for cybersecurity measures not only puts patient safety at risk and compromises data integrity, but could also risk market entry delays, leading to financial losses and reputational harm. Similarly, in the EU, manufacturers failing to comply with the Cyber Resilience Act could lead to product removal from the Single Market or substantial fines comparable to those stipulated in the General Data Protection Regulation (GDPR).

To mitigate risk, the FDA recommends implementing a “software bill of materials” (SBOM) programme as a fundamental element in their software security and supply chain management. The SBOM provides a comprehensive list of all software components within a device, enabling effective tracking and management of vulnerabilities.

Understanding and aligning with cybersecurity requirements and expectations in target markets is essential for manufacturers to navigate regulatory landscapes effectively and ensure the security and integrity of their medical devices.

Prevention is better than cure

It’s important to note that cybersecurity shouldn’t be an afterthought but should be woven into the foundation of developing medical devices.

Cybersecurity must be a priority across all facets of the business, including budget allocation, resource allocation, training, and so on. It’s not just about abiding by regulations and avoiding penalties; it’s about recognising that the true benefit of advanced, interconnected devices will shine through only if end-users can trust the devices that are so closely integrated into their lives. The software behind these devices, if not built with cybersecurity in mind, can become vulnerable to cyber threats, thereby exposing the patients who rely on them to the same risks. That defeats the purpose.

Systemic issues must also be addressed when designing a security strategy in order to avoid subsequent fixes down the line. Giving due importance to such processes will allow developers to foresee any potential risks and enable them to take corrective measures well in advance, ultimately saving the trouble of potential reputational damage, financial losses, market delays, and patient safety issues.

Subscribe to newsletter
Subscribe to receive the latest blog posts to your inbox every week.
By subscribing, you agree to our Terms and Conditions.
Thank you for subscribing!
Oops! Something went wrong while submitting the form.
Read more

Latest News

Browse our news hub featuring company announcements, regulatory updates, and industry insights to keep you informed and ahead of the curve.

An extensive round-up of medical device regulatory news from November 2024 includes new and updated guidance documents, Q&As, and directives from Europe and the US, including the new EU Product Liability Directive for AI and Smart Products.

Pure Global is proud to announce its inclusion in the China Business Service Providers (BSP) directory on the International Trade Administration website.

Regulatory Update
November 20, 2024

This week in medical device regulatory news, Thailand has introduced new refer and transfer guidelines, Europe released an updated Q&A on IVDR and MDR vigilance terms, and Romania has new rules for Economic Operators.

Regulatory Update
November 13, 2024

This week, we bring you medical device regulatory update coverage from around the world, including new registration Q&A resources in Taiwan and Japan, UK relaunches ILAP pathway, Mexico will apply a new acquisition model, and more.

Contact us
Request information

Let's Talk,
Anywhere You Are.

Whether looking for more information or ready to partner with us, we're here to guide you through every step of the regulatory process.

Our closest representative will get back to you within 24 hours.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Blog Content

Explore our collection of articles, success stories, and regulatory updates, designed to help you take your product global.

Risk increases compliance chalenges under IVDR
Blog Article
What are the challenges under IVDR?

IVD manufacturers cite the new classification system, detailed definitions for intended purposes, and the need for verification of clinical evidence as key challenges under the IVDR.

Blog Article
EU Parliament Revises MDR and IVDR

On October 23, the European Parliament adopted a resolution revising specific elements of the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Devices Regulation (IVDR). This resolution intends to address ongoing challenges in implementing the regulations by 2025 and to improve patient access to important medical products.

Blog Article
Language Challenges in MedTech Going Global and Our Solution

Multilingual documentation presents ongoing compliance and logistical hurdles for MedTech manufacturers. Transla.Ai is an industry-specific translation tool that can accelerate and streamline the translation process.

Medical device supply chain
Blog Article
Managing your medical device supply chain

The connection between supplier controls and business risks is becoming increasingly evident. In this article, we discuss perspectives on how to maintain a compliant medical device supply chain.