To aid this effort, the Food and Drug Administration (FDA) issued its first guidance on medical device cybersecurity in 2005, focusing on networked medical devices with off-the-shelf (OTS) software.
Still, over the years, the FDA’s premarket guidance has evolved significantly, expanding from a 9-page document in 2014 to a comprehensive 57-page guidance in 2023. This evolution alone showcases the increasing importance of cybersecurity in the medical device industry.
The 2023 Consolidated Appropriations Act, however, transformed the FDA’s traditionally informal recommendations on medical device cybersecurity into formal, law-based requirements. Coupled with the FDA’s 2023 updated guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, this development signifies heightened standards in medical device cybersecurity. Together, these changes represent a significant advancement in the regulatory landscape for medical device cybersecurity.
Ensuring medical devices remain ‘cyber safe’
As initiatives from around the world demonstrate, these expectations are not exclusive to the US. For instance, the EU’s 2022/2555 Directive on the Security of Network and Information Systems (NIS2) now requires manufacturers of medical products, including chemicals (APIs), pharmaceuticals, and medical devices, to implement comprehensive cybersecurity risk management measures and adhere to reporting requirements.
Then, in Australia, the Therapeutic Goods Administration (TGA) issued the 2022 Medical Device Cybersecurity Guidance for Industry, which mandates a total product lifecycle (TPLC) approach to cybersecurity. This approach requires manufacturers to incorporate penetration testing, threat modelling, and other proactive measures into their risk management assessment process.
In Singapore, the Cybersecurity Labelling Scheme for Medical Devices (CLS-MD) introduces a rating system for medical devices based on their cybersecurity provisions. Under this scheme, medical devices are assessed and labelled according to their cybersecurity robustness, providing valuable information to the general public and healthcare providers. This labelling system enables informed purchasing decisions, allowing stakeholders to identify and select medical devices that meet high cybersecurity standards.
These global initiatives reflect a growing international consensus on the importance of robust cybersecurity measures in the medical device industry.
The advantages of interconnectedness are not without weaknesses
When a medical device includes software, especially if it can connect electronically to other devices or networks, prioritising cybersecurity becomes crucial. The interconnectedness of medical devices in the modern medical landscape, facilitated by software-enabled smart medical devices and a shift towards an Internet of Things (IoT) undeniably offers the benefit of convenient, timely care.
For example, patients with heart implants can be monitored remotely, reducing the need for frequent visits to the doctor. Similarly, new tools for managing blood sugar levels allow glucose metres and insulin pumps to interact seamlessly. Hospitals are also adopting more interconnected devices to enhance care and efficiency by sharing data seamlessly. However, at the same time, this also makes medical devices more vulnerable to cyberattacks and security breaches if there are weak links in healthcare systems.
The heightened risks stem from malicious actors targeting healthcare organisations to exploit vulnerable devices, access patient records, disrupt operations, demand ransoms, or infiltrate networks. For instance, devices such as insulin pumps, heart pacemakers, and wearables face heightened vulnerability due to their real-time tracking of patient data and immediate transmission of information to patients and doctors. As a result, robust cybersecurity measures are essential to protect these critical devices and ensure patient safety.
Practical implications for developers
The FDA’s cybersecurity guidance and regulatory scope encompass a wide range of device software functionalities, including data storage, transfer, and analysis. Any medical or diagnostic device with upgradable software, a USB port, or even compact disc technology is now classified as a connected device and falls under the new regulations.
Both the FDA and the UK’s NCSC-Secure Design Principles stress the importance of manufacturers taking into account the broader ecosystem and interconnectedness of devices.
Rather than operating in isolation, security objectives should be integrated across the entire system architecture of medical devices.
Medical Device Manufacturers (MDMs) should perform threat modelling on devices well in advance of their release to promptly identify security threats and vulnerabilities, evaluate them, and prioritise them to ensure that the devices are secure before they are released to the market. Creating a prioritised list of key concerns enables teams to effectively tackle and resolve critical issues prior to submission. Moreover, it establishes a documented log of security considerations that teams can systematically address in future iterations.
It’s also important to address systemic issues to avoid the need for singular fixes later. This may involve revising standard operating procedures, aligning the quality management system, and developing comprehensive security strategies that span the entire development lifecycle, meeting both cybersecurity standards and regulatory requirements.
Ultimately, failure to meet the explicit criteria set by the FDA for cybersecurity measures not only puts patient safety at risk and compromises data integrity, but could also risk market entry delays, leading to financial losses and reputational harm. Similarly, in the EU, manufacturers failing to comply with the Cyber Resilience Act could lead to product removal from the Single Market or substantial fines comparable to those stipulated in the General Data Protection Regulation (GDPR).
To mitigate risk, the FDA recommends implementing a “software bill of materials” (SBOM) programme as a fundamental element in their software security and supply chain management. The SBOM provides a comprehensive list of all software components within a device, enabling effective tracking and management of vulnerabilities.
Understanding and aligning with cybersecurity requirements and expectations in target markets is essential for manufacturers to navigate regulatory landscapes effectively and ensure the security and integrity of their medical devices.
Prevention is better than cure
It’s important to note that cybersecurity shouldn’t be an afterthought but should be woven into the foundation of developing medical devices.
Cybersecurity must be a priority across all facets of the business, including budget allocation, resource allocation, training, and so on. It’s not just about abiding by regulations and avoiding penalties; it’s about recognising that the true benefit of advanced, interconnected devices will shine through only if end-users can trust the devices that are so closely integrated into their lives. The software behind these devices, if not built with cybersecurity in mind, can become vulnerable to cyber threats, thereby exposing the patients who rely on them to the same risks. That defeats the purpose.
Systemic issues must also be addressed when designing a security strategy in order to avoid subsequent fixes down the line. Giving due importance to such processes will allow developers to foresee any potential risks and enable them to take corrective measures well in advance, ultimately saving the trouble of potential reputational damage, financial losses, market delays, and patient safety issues.
Author details: Phyllis Meng, CEO & co-founder of Pure Global
