Discover how the latest cybersecurity regulations are influencing the medical device industry. Learn about the measures manufacturers are taking to meet compliance requirements, enhance device security, and protect patient data. Stay ahead of the curve with insights into the evolving landscape of medical device cybersecurity.
Given its direct effect on health and life, the medical industry is subject to stringent regulations. Governments worldwide exercise some form of control over medical products and services.
However, the regulations don’t appear to be as agile as they should be in light of the growing cyber threats on web-connected medical equipment and other digital devices used in healthcare.
Medical devices that connect to the internet and to other gadgets have been in use for quite some time, but it’s only in the past couple of years that regulators have paid attention to the serious threats hounding modern medical hardware. Better late than never as some would say—it’s good to see policymakers stepping up their game to ensure the secure use or operation of medical equipment.
Here’s a rundown of the impact of new cybersecurity regulations as they are applied to the medical device industry.
Expanded FDA authority: a boost for patient safety and the cybersecurity industry
The passage of the United States 2023 Omnibus Bill comes with the expansion of the US Food and Drug Administration’s authority over medical device security. This expanded authority gives the FDA the power to set cybersecurity requirements for medical devices and requires all device manufacturers to demonstrate that their products meet these requirements.
This legislation provides the FDA with additional funding and statutory powers that significantly impact the medical device industry. Before the FDA’s updated authority, cybersecurity for medical devices was more of an auxiliary or supplemental concern. It was evaluated separately and not with the same urgency accorded to other device safety concerns.
The FDA’s new powers allow it to compel device manufacturers to implement a product development framework that meets security requirements. Devices will not be made available to customers unless they are secure.
Device makers will be required to monitor and address postmarket cybersecurity vulnerabilities, develop processes to provide reasonable cybersecurity assurance, submit a software bill of materials (SBOM), and comply with other requirements set by the FDA. Security is now part of the safety evaluation of devices.
The 2023 Omnibus Bill defines the devices to be covered by the FDA’s expanded authority as something that meets any of the following conditions: having software/firmware in it, the ability to connect to the internet, and the potential to be affected by cyber threats or attacks. This means that a vast range of devices will be covered and unscrupulous manufacturers will have a hard time circumventing FDA scrutiny.
All these bode well for patient safety, but many device makers will likely regard it as onerous. The changes they need to implement in their product development and monitoring processes mean additional costs. They also mean a slower time to market.
CISA’s push for secure-by-design policy: compulsory security throughout the product life cycle
The Cybersecurity and Infrastructure Security Agency (CISA) of the United States is pushing for the adoption of “secure-by-design” and “secure-by-default” policies among technology manufacturers, which include advanced medical device makers.
The agency attempts to address the fixation of most companies to get their products out to the market as quickly as possible, disregarding crucial safety concerns especially when it comes to cybersecurity.
CISA also seeks to make organizations develop voluntary performance goals that match the specific needs and environments they are dealing with. These specific performance objectives allow organizations to have a better grasp of the threat landscape and how they can improve their products to stop or mitigate the impact of cyber attacks.
Moreover, CISA plans to encourage enterprises to be security-conscious through a government-sanctioned acknowledgement or praise for compliant organizations. The agency also plans to take advantage of the US IT procurement capacity to reward businesses that embrace the secure-by-design policy with favourable procurement deals.
CISA does not have a lot of regulatory authority, but it is capable of influencing organizations to become security-aware and capable of adapting to the changing needs in the field of medical device security. It plays two major roles: serving as the operational lead for Federal Cybersecurity and working as the national coordinator for critical infrastructure security and resilience.
EU Medical Device Regulation: systematized device security
In 2020, the European Union introduced regulations to address medical device cybersecurity threats. These regulations are collectively known as the Medical Device Regulation (MDR) framework aims to ensure that all medical devices imported into the EU are of high quality and guaranteed safety.
MDR supplants the EU Medical Device Directive (MDD), which has been in place for nearly a quarter of a century. MDR is a mandatory requirement for all medical devices that enter the EU market. It sets a product classification system, clinical evaluation process, EUDAMED mechanisms, and supply chain guidelines to ensure medical device security and safety.
The European Union is one of the biggest markets for medical devices. MDR has been in effect for more than a year now. Its implementation has shown that it is possible to exercise effective regulation to ensure patient safety and security against cyber assailants. Its new requirements for medical device imports leave no room for run-of-the-mill device makers. It forces everyone to systematically integrate cybersecurity across the product development lifecycle
Japan’s MHLW guidelines: information sharing with healthcare providers and patients
Japan has been at the forefront of medical device cybersecurity regulations in Asia. The country’s Ministry of Health, Labour, and Welfare (MHLW) announced in 2020 new guidelines regarding medical device security. These guidelines require medical device manufacturers to implement a cybersecurity management system and conduct regular risk assessments. They also ask manufacturers to provide information on the security of medical devices to healthcare providers and patients.
The MHLW guidelines are notable for their emphasis on information sharing. All relevant parties are informed about the security of medical device products. This is important in establishing trust and encouraging everyone to play a role in making sure that the medical devices available in the market are secure and unlikely to be compromised by threat actors.
How industries are responding
It’s safe to say that there have been no objections from the medical tech sector, at least nothing explicit. Some in the tech industry have openly welcomed the new regulations. Google, for one, expressed support for the efforts to raise cybersecurity standards in mobile and IoT gadgets.
New medical device regulations do not only mean improved medical device effectiveness and patient safety. They also promote the development of new solutions to help device makers keep up with the new security requirements efficiently. They create opportunities for innovative companies, especially when it comes to addressing new cybersecurity needs.
Israeli medical software provider MedDev Soft, for example, offers solutions that simplify and accelerate software development and regulatory compliance for medical products. Californian startup Medcrypt offers cryptography, monitoring, and vulnerability management solutions for medical device makers.
Another Israeli company, Sternum, takes a different approach and offers integrated on-device endpoint security that helps with cyber regulations. The main advantage of this particular solution is that it can be used to easily retrofit existing devices. Sternum is responsible for the security of the pacemakers of Medtronic, for example.
Recent cyber attacks on healthcare organizations have highlighted the importance of cybersecurity regulations for medical devices. Device manufacturers, the tech industry in general, and cybersecurity firms acknowledge the need to bolster defenses in line with the US Cybersecurity and Infrastructure Security Agency’s recent pronouncements on the state of healthcare cybersecurity.
Recent cyber attacks on healthcare organizations have highlighted the importance of cybersecurity regulations for medical devices. There may have been no significant incidents of cyber attacks that sought to harm individuals by hacking into their connected medical devices. However, it is better to anticipate the attacks than to be caught flatfooted.
New regulations are shaping the medical device industry, especially when it comes to the safety and security aspects. These regulations greatly benefit patients, but they are also a welcome development for the cybersecurity industry. Security firms have been developing new solutions to help organizations comply more easily while ensuring honest-to-goodness medical device security.