To manage their sugar levels, diabetes patients depend on insulin pumps. But researchers from QED Security Solutions found a vulnerability that let them remote control one line of digital pumps.[I] Just by tapping a few buttons on their Android app, the researchers could give pump users a lethal insulin overdose from a distance.
Thankfully, these researchers weren’t aiming to kill. They wanted to make a point to the US Food and Drug Administration (FDA) about medical device cybersecurity—which they very much did. A week after the researchers’ demo to the FDA, the device maker recalled the product.
But this incident shows how the advent of smart medical devices opens up a new and scary realm of risk and regulation. How can device manufacturers stay up to date, comply with evolving rules, and protect their customers?
How should we secure the “Internet of Bodies”?
The “Internet of Things” isn’t new: by making our devices “smart” and connecting them to each other, daily life and work become easier and more accurate. But when it comes to medical devices, that connectivity raises new questions about privacy, security, and safety.
Penn State Law professor Andrea Matwyshyn calls this new phenomenon the “Internet of Bodies,” and she warns that “for the first time, our physical safety, autonomy, and well-being can—and inevitably will—be harmed because of flawed software or lapses in security.”[ii]*
Cyber-physical systems that directly interface with patients’ bodies are the clearest risk. QED Security Solutions’ “killer app,” targeting home-use medical devices, is just one such example. But even more than such external devices, implantable devices like pacemakers and deep brain stimulators demand long-term planning—recalling a brain implant isn’t quite as easy as recalling an insulin pump.[iii]
Where does security stop with remote healthcare monitoring?
And consider that depending on how you draw the line, the “Internet of Bodies” could include various smart wearable devices too.[iv] Remote healthcare monitoring may not carry the same physical risks, but can still jeopardize users’ privacy. The US Army learned that the hard way when a 20-year-old Australian student pointed out that you could clearly see soldiers’ daily routines in Afghanistan military bases… from fitness app Strava.[v]
Technically, the EU and FDA don’t consider fitness devices as medical devices (though wearable medical devices do exist). But as Matwyshyn notes, remote healthcare monitoring has regulatory grey areas—she raises the hypothetical example of a smart pill that acts as a sleep tracker. Fitness device, or medical device? The answer could decide which regulatory body it falls under.
Where do the EU, US, and Others lie on medical device cybersecurity?
The rapid development and sheer diversity of smart medical devices means that regulators are still figuring out how to manage them. While some international standards already exist, countries are also using their own frameworks, often spanning multiple agencies.
International standards: The International Standards Organization (ISO) and International Electrotechnical Commission (IEC) have developed the ISO/IEC 80001 standards series, covering “application of risk management for IT networks incorporating medical devices.”[vi] These voluntary technical standards provide a comprehensive overview of risks associated with medical device connectivity, with which health care delivery organizations (HDOs) and medical device manufacturers (MDMs) can benchmark devices and systems.
The ISO 14971 standard also provides a more general approach to risk management for medical devices. And in April 2020, the International Medical Device Regulators Forum published its finalized “Principles and Practices for Medical Device Cybersecurity.”[vii]
United States: The FDA regulates medical device sales, and this applies to cybersecurity too.[viii] Federal regulations require MDMs to address cybersecurity alongside other risks, and the FDA has issued several sets of guidance outlining how to approach cybersecurity-related concerns.[ix] Final premarket guidance came out in 2014, and final postmarket guidance in 2016, but updates have continued.
With that said, the FDA isn’t the only US government agency involved. For MDM best practices, the FDA’s guidance looks to the non-regulatory National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, and the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency helps keep an eye out for vulnerabilities in devices.[x]
European Union: The EU’s regulatory framework is still evolving, with fresh guidance from the EU Medical Device Coordination Group in January 2020.[xii] This is intended to help MDMs meet requirements under two new regulations: the EU Medical Device Regulation, or MDR (2017/745), and the EU In Vitro Diagnostic Medical Device Regulation, or IVDR (2017/746), both adopted in May 2017.[xii]
Originally, the MDR was slated to come into effect in May 2020, and the IVDR in May 2022. But with Covid-19, the EU has pushed the effective date of the MDR back to May 2021.[xiii]
Australia: Australia’s Therapeutic Goods Administration (TGA), housed within its Department of Health, released a guidance document on medical device cybersecurity for industry on July 2019.[xiv] As other agencies have, the TGA frames cybersecurity as part of a larger risk management process, pointing to ISO 14971 and the US NIST cybersecurity framework as potential approaches.
Singapore: Singapore’s Health Sciences Authority is responsible for vetting medical device cybersecurity, and calls for a lifecycle approach to product management.[xv] The Singapore Standards Council has produced a document outlining security risk management for connected medical devices.
Protecting medical devices, protecting ourselves
Medical device cybersecurity is a challenging field that regulators have adapted to with varying speed. The US’s proactive approach over the past decade, for example, contrasts with the EU’s still-developing regulatory regime.
Yet international regulation has generally converged toward a risk-based approach, where MDMs must make cybersecurity an essential part of managing risk over a device’s lifetime. As the Internet of Bodies grows, that can only be a good thing, because at the end of the day, securing our medical devices will mean protecting our own lives.[I] wired.com – These Hackers Made an App That Kills to Prove a Point
[ii] wdj.com – The ‘Internet of Bodies’ Is Here. Are Courts and Regulators Ready?
[iii] ncbi.nlm.nih.gov – New risks inadequately managed: the case of smart implants and medical device regulation
[iv] lexology.com – The Role of Wearables in the Battle Against COVID-19
[v] bbc.com – Fitness app Strava lights up staff at military bases
[vi] eprints.dkit.ie – Assessing against IEC 80001-1
[vii] imdrf.org – Principles and Practices for Medical Device Cybersecurity
[viii] fda.gov – FDA’s Role in Regulating Medical Devices
[ix] fda.gov – Cybersecurity
[x] nist.gov – Framework for Improving Critical Infrastructure Cybersecurity Version 1.1; – healthitsecurity.com – DHS CISA: Serious Vulnerabilities Found in 6 Medical Device Systems
[xi] blogs.dlapiper.com – Europe: EU MDCG issues new guidance on Cybersecurity for medical devices
[xii] medtechdive.com – EU group offers guidance on meeting MDR’s cybersecurity standards; – eumdr.com – The European Union Medical Device Regulation of 2017
[xiii] europarl.europa.eu – Parliament decides to postpone new requirements for medical devices
[xiv] tga.gov.au – Medical device cyber security guidance for industry; emergobyul.com – The convergence of medical device cybersecurity requirements in Australia, Canada and the USA
[xv] rsis.edu.sg – CO19204 | Healthcare: A Critical Information Infrastructure; – hsa.gov.sg; singaporestandardseshop.sg – Connected medical device security