Blog

Why It Takes So Long to Develop a Medical Technology (Part 12)

Written by Mark Carol, MD
Published:

Cybersecurity

As technology advances, medical devices have become increasingly connected to facility computer networks. While this synergy enables ease of use and data sharing, it also can expose medical devices to cyber vulnerabilities from which they were previously shielded. Cybersecurity – or the safeguarding of computer networks and the information they contain from penetration and malicious damage or disruption – has never been more important in the medical field.

Cybersecurity illustration with a lock in the center

In prior decades, medical devices were self-contained standalone devices separate and distinct from the hospital network. Data were transferred back and forth by some form of hard media, making the device effectively protected from cybersecurity attacks on the hospital system. The shift toward integration began as a unidirectional flow of electronic information from provider to device. For instance, the provider would download imaging information to the device in order to plan a therapeutic intervention. In recent years, this integration has expanded to allow devices to send information, usually treatment delivery data, upstream to populate an electronic medical record (EMR).  

As technology has advanced, remote interaction with devices from outside the hospital system has become possible. Medical devices are no longer a stand-alone component of the clinical care process. Therapy devices can get their guidance information from imaging centers remote from the treating hospital, then output treatment records back to centralized EMR systems. A physician or technician can even remotely monitor, guide, or service some devices.

The increased use of wireless networks and Internet connection, coupled with the desire to integrate information across health systems, has made medical devices more open – and subsequently more vulnerable – to cybersecurity threats. These vulnerabilities were always inherent in the devices, and thanks to the increased connectivity of today’s world, they have become real risks.

Risks can go further than just putting transferred information at risk. The science fiction idea of exploiting an implanted medical device or taking over control of a surgical robot remotely has become reality. There have been successful attacks against devices like insulin pumps and pacemakers. Given that manufacturers can interface with an operating room device for training and guidance, the potential exists for a third party to wreak havoc.

Networked medical devices are open to:

  • Compromise of confidentiality from unauthorized access due to poor security control measures, leading to noncompliance with regulations and possible litigation with financial consequences
  • Loss of integrity from poor configuration, corruption of data, or unauthorized manipulation of information that can affect patient safety
  • Unauthorized data access – or loss of data access – that impacts patient safety and/or the ability to proceed with a procedure

The responsibility for maintaining device functionality, integrity, confidentiality, patient privacy, and function is shared by manufacturers, health care providers, oversight organizations, and patients.

Regulatory authorities, such as the US Food and Drug Administration (FDA), have the responsibility for assuring the safety, effectiveness, and security of medical devices. These agencies have acknowledged the seriousness and enormity of the cybersecurity problem and have published recommendations for managing risks and protecting patient health information. This is meant in part to assist manufacturers in their submissions for FDA authorization of medical devices. However, these are currently only recommendations and may not be included as part of the regulatory review process. But that may change.

The FDA has distributed documents such as the “Content of Pre-Market Submissions for Management of Cybersecurity in Medical Devices” guidance that are aimed at considering protection in the design and development stages by identifying potential security risks. The guidance document recommends that patches and update plans, including a cybersecurity review, be submitted for FDA review. In an environment where software patching can be an extremely frequent occurrence, this level of required oversight could be prohibitive for medical device manufacturers. Furthermore, this review process would apply to third party software used on a medical device, for instance, an operating system update. The possibility of repetitive FDA authorization when any change is made to a medical device, including the embedded software, means additional cost and time to market. It could also leave known vulnerabilities open longer than would otherwise occur. Right now, it is only a guidance document, but should it become a requirement rather than a guidance, the time to market for new devices would increase dramatically as the regulatory process gets bogged down in the review of already authorized devices.

Hospital IT departments are, or at least should be, religious about ensuring that the hospital network is secure. As a result, they play a major role in the review of sales contracts and device configurations. Until such time as there is a universal standard that devices must meet that is accepted by all facilities, manufacturers may need to get buyoff from each facility on cybersecurity issues before a sale can be completed. A device that is required to interact with the hospital network may meet the manufacturer’s requirements for security, but the final arbitrator is the hospital IT department. Not working with the department prior to the sale could derail the sale later in the process. This is especially the case if that device connects to the internet in some manner (e.g., for downloading data from a remote site, for monitoring treatment by a remote technician or by medical personnel). Built-in delays should be included in sales timelines to account for this interaction, and sales projections should be tempered to account for facility cybersecurity assessments and the impact they may have on timing of a sale or of the sale happening at all.

Mark Carol, MD, is a senior consultant at the Focused Ultrasound Foundation.

Read the Series