Cybersecurity and Its Growing Impact on Medical Devices

The International Medical Device Regulators Forum (IMDRF) defines security, which is used interchangeably with cybersecurity, as “A state where information and systems are protected from unauthorized activities, such as access, use, disclosure, disruption, modification, or destruction to a degree that the related risks to confidentiality, integrity, and availability are maintained at an acceptable level throughout the life cycle” (1). In the past, medical devices were rarely connected to networks, and if they were, the network was usually private and could be isolated and secured. Additionally, medical devices used by patients at home were traditionally not connected. However, the proliferation of advanced devices and mobile apps has led to a rapid increase in connectivity between medical devices and remote computing, including cloud computing. As a result, vast amounts of medical data are now generated to monitor and modify treatment. In addition, these smart, connected medical devices include software that is vulnerable to cybersecurity threats and attacks.

Cybersecurity incidents can pose a threat to patient safety in healthcare systems by causing diagnostic or therapeutic errors, compromising the safe performance of a device, affecting clinical operations or denying patients access to critical care. In addition to patient safety concerns, financial losses can occur due to payment demands or fines resulting from a successful attack that leads to the loss of private patient information. Healthcare facilities are often targeted as they store a vast amount of confidential patient data, while medical devices and mobile apps provide an easy entry point for attackers.

U.S. Laws and Regulatory Requirements

The United States has several cybersecurity and data privacy laws that impact medical device companies, the most significant of which are:

• Federal Food, Drug, and Cosmetic Act (FD&C Act) grants the U.S. Food and Drug Administration (FDA) authority over medical devices (2).
• Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets standards for the protection and privacy of individually identifiable health information (3).
• Cybersecurity Information Sharing Act (CISA) encourages the voluntary sharing of cybersecurity threat information between private entities and federal agencies and aims to improve the overall cybersecurity posture of critical infrastructure sectors, including the healthcare sector and medical device companies (4).
• Federal Trade Commission (FTC) Act prohibits unfair or deceptive practices in commerce; the FTC has the authority to act against companies, including medical device companies, that engage in unfair or deceptive practices related to data security or privacy breaches (5).
• State Data Breach Notification laws in various states require companies to notify affected individuals and authorities in case of a data breach involving personal information.

HIPAA sets the standards for protecting personal health information (PHI) and requires healthcare providers and their business associates to implement appropriate safeguards to protect it. Medical device companies that develop, manufacture or distribute devices that collect, store or transmit PHI must comply with HIPAA regulations. Furthermore, individual states have started introducing laws, such as the California Consumer Privacy Act of 2018 (CCPA), that give consumers more control over the personal information that businesses collect about them (6). The FDA, via the FD&C Act, requires medical device companies to submit premarket clearance applications to ensure their devices' safety and effectiveness. That includes cybersecurity and data privacy measures to protect patient information.

The U.S. Consolidated Appropriations Act (Omnibus), signed into law on 29 December 2022, added section 524B, “Ensuring Cybersecurity of Medical Devices,” to the FD&C Act under Omnibus section 3305 (7). Therefore, as part of the submission for approval, the following must be provided:

• A plan for monitoring, identifying and addressing post-market cybersecurity vulnerabilities and exploits.
• Processes and procedures designed, developed and maintained to provide a reasonable assurance that the device and related systems are cybersecure.
• A software bill of materials, including commercial, open-source and off-the-shelf software components.

The FDA provides guidance documents that describe their interpretation of their policy on any regulatory issue. As their current guidance on cybersecurity, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices of October 2014, is dated, a new draft version has been released (8).

EU Laws and Regulatory Requirements

Like the United States, the European Union (EU) has several laws and regulations related to cybersecurity and data privacy for medical devices, of which the most significant are:

• The Medical Devices Regulation (MDR) sets requirements for medical device manufacturers to ensure the safety and performance of their products, including provisions related to cybersecurity, such as requirements for risk management and postmarket surveillance (9).
• The In Vitro Diagnostic Medical Devices Regulation (IVDR) requires manufacturers of in vitro diagnostic medical devices to ensure their safety and performance; it also includes provisions related to cybersecurity and data protection (10).
• The General Data Protection Regulation (GDPR) governs how companies collect, store and process the personal data of EU citizens and also applies to medical device manufacturers that process personal data (11).
• The Network and Information Systems Directive (NIS and NIS 2) establishes security requirements for critical infrastructure providers, such as healthcare providers that require them to report any cybersecurity incidents to the national authorities (12,13).
• The EU Medical Device Coordination Group (MDCG), which provides guidance to manufacturers and other stakeholders on the implementation of the MDR and IVDR (14), has issued guidance on cybersecurity and data protection requirements for medical devices (15).

Privacy Laws and Regulations

The impact of laws and regulations for cybersecurity and data privacy on the development of medical devices cannot be underestimated. It results in increased development time and costs for both hardware and software, which may lead to delayed patient treatment and higher device prices.

Medical devices often collect and process PHI about patients that must be handled in compliance with strict data-privacy regulations, which can significantly impact the design, development and testing of medical devices. Devices must be designed to protect patient privacy and to securely transmit and store PHI, requiring implementing encryption, access controls and other security measures to prevent unauthorized access to patient data. In addition, the GDPR includes requirements for data subject rights. This ensures that companies provide individuals with access to their data and the ability to control how it is used.

In summary, data privacy has a profound impact on the development of medical devices in the United States and EU. To comply with data-privacy regulations, developers must consider patient privacy as a critical design parameter in the development process, which can affect the device's functionality, performance and cost.

Cybersecurity Laws and Regulations

Medical device manufacturers need to integrate cybersecurity considerations into their design and development processes from the beginning. This includes conducting risk assessments, implementing secure design and development practices and conducting regular security testing and vulnerability assessments. Additionally, once the product is launched, manufacturers must provide ongoing security updates and support throughout its lifespan, which can further increase development and maintenance costs.

The FDA Draft Guidance for Industry: Ensuring Cybersecurity of Medical Devices outlines cybersecurity requirements for medical devices containing software or programmable logic, including SaMDs (5). Compliance will require manufacturers to update their existing quality management system (QMS), establish a secure product development framework (SPDF) and train personnel on the updated QMS and chosen SPDF. Furthermore, they must meet new labeling requirements, create vulnerability management plans and ensure that device cybersecurity design and documentation align with the cybersecurity risk.

Ensuring compliance with these regulations is a complex and expensive undertaking, demanding continuous effort to protect and maintain the safe operation of the medical device. In addition, the need for expertise in medical device development compounds the shortage of qualified cybersecurity professionals. Therefore, manufacturers may have to consider hiring more personnel or enlisting third-party security consultants to meet regulatory requirements.

Conclusion

Data privacy and cybersecurity laws and regulations significantly affect the development of medical devices in the United States and the EU. Companies that fail to comply with these regulations may face serious legal and financial consequences, highlighting the importance of prioritizing compliance efforts.

Finally, the potential rise in development time and costs for hardware and software may result in delayed patient treatment and higher device prices. As a result, it is critical to consider the impact of data privacy and cybersecurity laws and regulations on medical device development.

References

1. International Medical Device Regulators Forum, IMDRF/CYBER WG/N60FINAL:2020, Principles and Practices for Medical Device Cybersecurity: https://www.imdrf.org/sites/default/files/docs/imdrf/final/technical/imdrf-tech-200318-pp-mdc-n60.pdf.
2. Federal Food, Drug, and Cosmetic Act: https://www.fda.gov/regulatory-information/laws-enforced-fda/federal-food-drug-and-cosmetic-act-fdc-act.
3. Health Insurance Portability and Accountability Act: https://www.hhs.gov/hipaa/index.html.
4. Cybersecurity Information Sharing Act of 2015: https://www.cisa.gov/resources-tools/resources/cybersecurity-information-sharing-act-2015-procedures-and-guidance.
5. Federal Trade Act: Federal Trade Commission Act | Federal Trade Commission (ftc.gov).
6. California Consumer Privacy Act: https://oag.ca.gov/privacy/ccpa.
7. Cybersecurity in Medical Devices Frequently Asked Questions: Cybersecurity in Medical Devices Frequently Asked Questions (FAQs) | FDA.
8. FDA Draft Guidance for Industry: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, April 2022: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions.
9. Regulation (EU) 2017/745 (MDR), 5 April 2017: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32017R0745.
10. Regulation (EU) 2017/746 (IVDR), 5 April 2017: https://eur-lex.europa.eu/eli/reg/2017/746/oj.
11. Regulation (EU) 2016/679 (GDPR), 27 April 2016: https://gdpr.eu/tag/gdpr/?cn-reloaded=1.
12. Regulation (EU) 2016/679 (NIS): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016L1148.
13. Directive (EU) 2022/2555 (NIS 2), 14 December 2022: https://eur-lex.europa.eu/eli/dir/2022/2555.
14. MDCG Endorsed Documents and Other Guidance: https://health.ec.europa.eu/medical-devices-sector/new-regulations/guidance-mdcg-endorsed-documents-and-other-guidance_en.
15. MDCG 2019-16 – Guidance on Cybersecurity for Medical Devices, December 2019: https://ec.europa.eu/docsroom/documents/41863.