Wearable Technologies and Cybersecurity: Medical Device Software and Software as Medical Device16 May, 2020
Use of wearable technology in healthcare brings many questions regarding information governance including data privacy, informed consent, and confidentiality, as well as concerns over cybersecurity of products as increased cybersecurity threats to the healthcare sector that are severe and clinically impactful. The United States (U.S.) Food and Drug Administration (“FDA”) has stated that effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, internet- and network- connected devices, portable media (e.g. USB or CD), and the frequent electronic exchange of medical device-related health information. This article focuses on potential cybersecurity controls from a manufacturer’s approach considering risks that may negatively affect performance, clinical operations or diagnostic and therapeutic functions regarding medical devices that contain software and software as a medical device (“SaMD”), which is a medical device on its own. Even though data privacy is a significant and extensive subject, it is not discussed under the scope this article.
Cybersecurity of medical devices that contain software and SaMD is a global issue with widespread use of wearable technology in healthcare and the increased understanding of the threats and their potential affect, whereas the regulations are in continuous development, varying from jurisdiction to jurisdiction. The FDA defines cybersecurity under the Draft guidance document regarding Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (“Cybersecurity in Medical Devices”) dated October 18, 2018 as the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient. Pursuant to the Principles and Practices for Medical Device Cybersecurity (“Medical Device Cybersecurity”) by International Medical Device Regulators Forum (“IMDRF”) dated March 18, 2020, cybersecurity is defined – in parallel with the ISO standard regarding health software and health IT systems safety, effectiveness and security, which is currently under development – as a state where information and systems are protected from unauthorized activities, such as access, use, disclosure, disruption, modification, or destruction to a degree that the related risks to confidentiality, integrity, and availability are maintained at an acceptable level throughout the life cycle.
As per the definition prepared by the IMDRF with the intention to provide a harmonized definition regarding medical device, which has been adopted in full or partially by regulators of various jurisdictions, any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use (In vitro is Latin for “within the glass.” When something is performed in vitro, it happens outside of a living organism), software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination, for human beings, for one or more of the specific medical purpose(s) of; i) diagnosis, prevention, monitoring, treatment or alleviation of disease, ii) diagnosis, monitoring, treatment, alleviation of or compensation for an injury, iii) investigation, replacement, modification, or support of the anatomy or of a physiological process, iv) supporting or sustaining life, v) control of conception, vi) disinfection of medical devices, vii) providing information by means of in vitro examination of specimens derived from the human body; and does not achieve its primary intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its intended function by such means. Within this framework, products which may be considered to be medical devices in some jurisdictions but not in others also include disinfection substances, aids for persons with disabilities, devices incorporating animal and/or human tissues, and devices for in vitro fertilization or assisted reproduction technologies.
SaMD can be defined as software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device. For example, software that is intended for diagnosis of a condition using the tri-axial accelerometer that operates on the embedded processor on a consumer digital camera or capable of running on general purpose (nonmedical purpose) computing platforms is considered SaMD. With this respect, regulations and requirements regarding medical devices would apply to wearable technologies that are used in health sector and qualify as a medical device (as may differ pursuant to the definitions regulated by the relevant jurisdiction).
Regarding medical device software and SaMD, when incorporating controls and measures with respect to cybersecurity issues, it is important for medical device manufacturers to make sure that the subject medical device maintains safe and performs as essentially intended. As explained under the Medical Device Cybersecurity, risks associated with cybersecurity should be considered throughout the total life cycle of a medical device including but not limited to design, manufacturing, testing, and post-market monitoring activities. As cybersecurity threats would continuously evolve, manufacturers should proactively monitor, identify, and address vulnerabilities and exploits as part of their cybersecurity management plan across the life cycle of a medical device. Some pre-market elements that a manufacturer should address during the design and development of medical device are designing security components into the product, applying risk management strategies, security testing, arranging information regarding secure operation of the device for users, and planning for post-market activities regarding cybersecurity matters.
The FDA stresses that while manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential to also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle. Risk assessment and management, information sharing, labeling, vulnerability remediation, and incident response can be listed as some of the essential aspects of cybersecurity. With this regard, manufacturers should also keep in mind the intended use environment and misuse scenarios of their product.
As failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) authenticity, availability or integrity, or exposure of other connected devices or networks to security threats, the systematic use of available information to identify hazards is essential considering ultimately such breach may have the potential to result in end user/patient harm. Therefore, as explained under the Medical Device Cybersecurity, risk analyses should focus on potential patient harm by considering the exploitability of the cybersecurity vulnerability, and the severity of patient harm if the vulnerability were to be exploited. With respect to maintaining cybersecurity in medical devices, manufacturers must identify assets, threats, and vulnerabilities; the potential impact of threats; assess and monitor the effectiveness of the risk controls; and communicate risks via coordinated disclosure to stakeholders.
As end users/patients are key stakeholders with regards to medical device cybersecurity, informing users through labeling can also be an effective way to manage cybersecurity risks. When drafting labeling for a medical device, in addition to the device instructions in relation to recommended cybersecurity controls, a manufacturer should consider all applicable labeling requirements under the relevant jurisdiction. Pursuant to the Cybersecurity in Medical Devices and in parallel to the Medical Device Cybersecurity, a description of backup and restore features and procedures to regain configurations, a list of network ports and other interfaces that are expected to receive and/or send data, and sufficiently detailed system diagrams for end-users should be included.
In addition, to be able to manage cybersecurity threats and vulnerabilities across multiple sectors of the global economy, information sharing is a vital tool. In sectors other than healthcare, standards and best practices for intelligence and sharing threats have been implemented. In order to strengthen the security of medical devices, stakeholders may consider adopting proven tools from other sectors. To do so, manufacturers could partner with stakeholders including healthcare providers, distributors, and consumers to make sure optimal formation and configuration of their devices is achieved. Within this context, to ensure that the relevant medical device can be used safely, information relating to the security of such medical device should to be shared transparently for patient safety improvement. In addition, for stakeholders in various jurisdictions to be able to respond accordingly, as appropriate, information should be shared synchronously globally.
Even though various cybersecurity measures are taken, software-enabled medical devices are not completely invulnerable to threats or fully protected. Therefore, as a post-market approach, engaging in actions such as vulnerability remediation (e.g. patient notifications) and coordinated vulnerability disclosure should be considered to integrate into the routine practice. With this respect, manufacturers should develop and distribute information to end users/patients in a timely manner after a threat or issue regarding cybersecurity is detected. As it may differ per the jurisdiction, manufacturers should consider specific jurisdictional requirements in terms of timely communications. Coordinated vulnerability disclosure with key stakeholders is highly important since multiple medical devices may be impacted and such disclosure may prevent potential harm. In addition, it would be beneficial for manufacturers since they may be able to improve their security design for future products as a result of such transparency.