In June 2019, Medtronic announced the recall of 4000 insulin pumps. Why? Due to a lack of cybersecurity planning, it was impossible to update or patch these devices when the pumps were found to be vulnerable to attack through insecure wireless communications. Without patches, there was no way to stop potential life-threatening interventions by bad actors. As the FDA described the issue:
“This could allow a person to over deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis (a buildup of acids in the blood).”
The FDA’s safety communication over the issue of cybersecurity in connected medical devices hit the headlines. Currently, it’s an area of medical device development not covered by legislation, although best practice development guidelines point to including cybersecurity at the design stage. Manufacturers need to start thinking outside of the “letter” of legislation and focus on reducing harm to patients. Besides patients, there is a real risk of reputation damage and a loss of trust from key stakeholders.
When to start thinking about cybersecurity in medical device development
When do you need to start thinking about cybersecurity? The FDA is asking manufacturers to start thinking about it in the design phase of a device. While cybersecurity affects all stages of the medical device lifecycle, cybersecurity must be there from the start.
Speak with an engineer about building cybersecurity into a device and they will tell you that it needs to be included in that early design stage. Why? Implementing cybersecurity as an afterthought can be a complex, if not impossible, outcome to achieve. The technologies that enable secure devices, from software to hardware, are not add-ons. Retrofitting isn’t an option when cybersecurity becomes a concern. You either include cybersecurity in from the start or you don’t include it at all.
Do you need to speak with stakeholders about cybersecurity in medtech? Here are a few things to consider when deciding if cybersecurity is necessary:
- The risk to life if hackers compromise the device.
- The personal information that the device transmits and receives, which is a growing issue with discussion around data privacy laws in states like California with CCPA.
- Whether the firmware’s integrity (through cryptographic signing) or secrecy (through encryption) is adequately protected.
- Misuse of system resources when the device is hijacked as part of a botnet, for example, cryptocurrency mining or Distributed Denial of Service (DDoS) attacks.
- Hacking of usage data, leading to inaccurate statistics for analysis by stakeholders in uses like billing.
Poor or non-existent cybersecurity can affect a whole swathe of other issues. Cybersecurity often means dealing with unknown unknowns. But not having the capacity to deal with security unknowns once they become known, means that deploying updates to address cybersecurity issues is not possible. This could, as in the case of Medtronic, bring the life of your product to an end.
What the FDA is planning for cybersecurity regulation
The FDA’s Medical Device Safety Action Plan puts cybersecurity in the spotlight and brings it to the forefront of new regulatory controls. But any new regulatory controls would need the consent of Congress, which could be complicated by the current proposals are not being popular with US manufacturers.
MedTech Dive explained the five key points of the Safety Action Plan as:
- Total product lifecycle approach. Providing more informative data about the benefits and risks of devices to help inform regulatory decisions.
- Patient safety net. Bringing data together from different sources to address device-specific safety concerns.
- Postmarket surveillance. Mitigate emergent risks through streamlined regulatory authority.
- Foster device innovation. Supporting the development of safer devices through modern performance criteria and greater premarket support from regulators.
- Improve medtech cybersecurity. Using new premarket submissions to ensure devices have the capability to be updated throughout the product lifecycle.
The FDA has a plan to recognise excellence in cybersecurity practices. But it hinges on manufacturers submitting proof that security capabilities have been built into all devices from the design phase of product development. Using premarket measures, the FDA aims to see if manufacturers have addressed this issue through active engagement with stakeholders. This engagement should help to identify and address key cybersecurity issues early on in that design phase.
It’s tough to make an argument against including cybersecurity measures in future regulations for connected medical devices. After all, protecting patient safety would include protecting their data. Plus, there is a need to protect brand reputation in a competitive sector.
Maintaining patient confidence means avoiding what happened with Medtronic. Appropriate cybersecurity measures are a must. Updating against emerging threats is a sensible thing to do. But these emerging threats and the aspect of the unknown unknowns are what makes setting a compliance agenda a complex conversation.