When designing any electronic tool, whether it be a smart phone or a game console, it is always important for the manufacturer to strike a balance between functionality, or ease of use, and data privacy and security. Nowhere is the need to optimize this balance more important than in the realm of medical devices which collect, store and transmit digital medical information. A security breach, whether intentional or unintentional, involving a medical device connected to another device or the Internet can pose a significant risk of physical harm to the user as well as misuse of extremely sensitive medical information.
Last week, the Food and Drug Administration in the United Stated issued a set of Guidelines governing the cybersecurity of medical devices – Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff. While not binding, the Guidelines draw on international information security standards, and set out the current thinking of the FDA to assist manufacturers of medical devices in the development and design of medical devices and in preparing premarket submissions for those devices. The Guidelines encourage manufacturers to identify any assets, threats, and vulnerabilities of a new medical device; assess the likelihood of a security incident and its potential impact on device functionality and end users; determine the level of risk and mitigation strategies; and assess residual risk and risk acceptance.
At its core, the Guidelines revolve around the NIST (National Institute of Standards and Technology) Cybersecurity Framework which focuses on key practices in cybersecurity – Identify, Protect, Detect, Respond and Recover. The process must begin with a recognition that any medical device which is capable of connecting to the Internet or to another device, whether remotely or hard-wired, is vulnerable to cybersecurity threats, which can compromise the safety and privacy of the user. Access controls need to be put in place that are commensurate with the risk that a vulnerability can be exploited and the probable risk of harm to a patient due to a cybersecurity breach. Such controls can range from a single password to a multi-factor authentication process using a combination of user IDs, passwords, biometrics and physical locks. Features must also be built into the device to allow for the detection of security failures and provide information for proper response, while at the same time protecting critical functionality, even when the device's security has been compromised.
Health Canada has not yet issued guidance on the management of cybersecurity in connection with medical devices. Where software meets the Canadian definition of a medical device (i.e. it is intended or represented for use in the diagnosis or treatment of an abnormal physical state of a patient), the manufacturer of the software is required to demonstrate the safety and effectiveness of the software. However, Health Canada has not yet issued guidance specifically on how manufacturers should address cybersecurity in the context of demonstrating a device's safety.
The important practical point is that regulators now expect
that, on a case-by-case basis, medical device manufacturers will
analyse and address the specific vulnerabilities of each device to
ensure not only the physical safety of the patient but the
safeguarding of hypersensitive medical information collected,
transmitted and stored by medical devices. One cannot (should not)
expect the approval of medical devices without embedded security
controls.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
