Cybersecurity has been a buzzword in the world of medical device manufacturing lately. The Food and Drug Administration (FDA) has issued several guidance documents for cybersecurity in medical devices. This guidance provides recommendations for medical devices with cybersecurity risks to ensure they are resistant to threats. The guidelines will affect device manufacturers seeking to get FDA approval for their products.
With medical devices becoming increasingly interconnected, there are greater cybersecurity risks. Devices can digitally connect with the internet, hospital networks, portable media, and other medical devices to transmit health information. These advancements have helped to improve healthcare and better treat patients, but they also increase exposure to cybersecurity breaches. This has pushed manufacturers to make cybersecurity a priority to ensure devices can effectively mitigate these risks.
Medical Device Cybersecurity Concerns
According to the FDA, medical device manufacturers are responsible for identifying the risks and hazards of their devices, including cybersecurity risks. They should have processes in place to determine any potential or existing safety risks and must have safeguards in place to mitigate them. But medical device companies are falling behind on maintaining and implementing robust cybersecurity measures.
This is a significant problem within the industry because cyberattacks on healthcare organizations have caused real harm to patients. Additionally, vulnerabilities in healthcare networks can compromise patient data confidentiality and integrity, opening medical device manufacturers up to legal issues in the event of a cybersecurity breach. Vulnerable medical devices include insulin pumps, intracardiac defibrillators, intrathecal pain pumps, mobile cardiac telemetry, and pacemakers, among others. Recent research has found that there are an average of 6.2 vulnerabilities per medical device. Outdated devices are at even more risk, with around 40% having no security patches or upgrades offered, leaving them completely open to cyberattacks.
One reason cybersecurity is such an issue for the industry is because of a lack of ownership for new technologies being used by medical device companies. Effective cybersecurity practices require constant vigilance to ensure any risks are identified and mitigated to prevent damage to the device and/or harm to patients. Manufacturers looking to strengthen their device’s cybersecurity need to make sure there is sufficient oversight by assigning ownership to a high-level position, such as a vice president or head of medical device security.
In addition to having an internal executive owner, medical device manufacturing companies need to create a response team to handle cybersecurity incidents. These response teams are meant to be proactive about post-production device cybersecurity. During and after a cybersecurity incident, response teams determine if and how the companies’ medical devices were affected. This includes checking to see if cybersecurity protections worked to safeguard against attack and, if not, identifying why they failed.
Even though the majority of medical device manufacturers need to work on their cybersecurity initiatives, there are signs that companies are taking these risks seriously. Medical device companies are increasing their cybersecurity budgets as well as their device security budgets. As cyberattacks on the medical industry continue, it’s good to see medical device manufacturers working to ensure their products are secure.
How New Cybersecurity Guidelines Affect Medical Device Manufacturers
The FDA is the main regulatory body for medical device cybersecurity, but it doesn’t perform tests on devices to determine if there are any cybersecurity vulnerabilities before allowing devices to go to market. Until recently, the only regulation for medical device manufacturers was to address cybersecurity risks. These regulations come from guidance documents that the FDA publishes regularly to inform manufacturers of recommendations and plans.
Within the past few years, the FDA has published multiple guidance documents relating to medical devices that focus on new technologies and cybersecurity. A recent document discusses machine learning- and artificial intelligence-enabled devices. Specifically, this guidance proposes an approach to ensure these devices can safely and quickly be modified in response to new data. This document is still in the draft guidance stage, so medical device manufactures don’t need to make any immediate changes related to it.
However, another guidance document that was published last year on cybersecurity in medical devices has led to a new policy from the FDA. This policy states that medical device manufacturers must now show FDA regulators that they can monitor and handle cybersecurity threats after products are on the market. Companies must do this when applying for FDA authorization for their devices. Starting March 29, 2023, any digital medical device that does not include a cyberattack protection plan will be rejected by the FDA.
This policy applies to any medical device that can be connected to the internet or has software capability. Despite the fact that the policy has already taken effect, the FDA has instituted a grace period for device manufacturers that goes through October 1, 2023. During this period, the FDA has said it won’t reject premarket device submissions and will instead work with companies to adhere to the new requirements.
Going forward, this policy means medical device manufacturers will have to collect and provide evidence that their devices are reasonably safe from cyberattacks each time they apply for FDA approval. They must also include a plan to monitor, identify, and address any vulnerabilities and threats that arise after the devices are approved and are on the market.
Creating ownership of device cybersecurity initiatives and forming a cybersecurity response team will go a long way in helping medical device manufacturing companies comply with these regulations. Additionally, the FDA must update their cybersecurity guidance every two years, so having a dedicated cybersecurity department in place may soon be a necessity to continue producing compliant medical devices.
If you’re interested in medical device manufacturing requirements and would like to connect with other medical device manufacturers and healthcare-adjacent manufacturers, learn about attending EASTEC.