Med Device Monday: Medical Device Cybersecurity

I mentioned in one of my earliest posts here that one of the reasons it's such an exciting time to work around medical devices is the technology and innovation we're seeing. We live during an unprecedented digital, informational, and technological age (I do occasionally link to Wikipedia for general informational purposes, and as always, those links come with a Grain of Salt disclaimer). And as with most things, there are two sides to this coin: major advances in any area don't come without challenges.

Technological (or, again, any) advancements are also not a straight line to success. As those of us in science know, trial and error is an unavoidable component of success–one might even say it's the basis of science/discovery. Enter Flu Mapping. Back in 2008, Google initiated a flu mapping service that aggregated search terms to predict flu outbreaks ahead of the CDC. The CDC does issue reports on flu outbreaks but there is usually a two week lag time between when the outbreak is happening and when the information on it can be published. Google was able to use real-time data to track outbreaks and, based on that, give notice of where the next outbreaks were likely to occur. Initially, Google's findings did track with the CDC reports that came out on that two week delay. But, according to Ars Technica, "...two notable stumbles led to [Google's flu mapping service] ultimate downfall: an underestimate of the 2009 H1N1 swine flu outbreak and an alarming overestimate (almost double real numbers) of the 2012-2013 flu season’s cases."

Flu mapping seems a perfect use of technology-and indeed, it is easy to imagine the benefits- but the implementation didn't work. So as with anything, it was back to the drawing board. While there still hasn't been a good real-time predictor of flu mapping, other areas of technology in healthcare have certainly exploded. Take a look at 3D printing, for instance. 

As medical devices continue to advance and become more technological, with increased flow of information from doctor to patient, the risk of breaching that information or compromising control of a device is also increased–and that's what I really want to focus on today. 

Screen Shot 2017-03-12 at 9.13.00 PM.png

At the end of 2016, FDA issued a final guidance document for cybersecurity in medical devices. In a blog post from December 2016 FDA explains, "Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan." FDA's stance is that technology is essential to the development of new and innovative devices, but that care must be taken to address and mitigate risks from conception to use:

"In today’s world of medical devices that are connected to a hospital’s network or even a patient’s own Internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality.

The best way to combat these threats is for manufacturers to consider cybersecurity throughout the total product lifecycle of a device. In other words, manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients."

They go on to outline specific points, as below:

Photo from fda.gov.

Photo from fda.gov.

FDA has an abundance of information on this topic and we can expect that more will be made available as technologies advance and are used in more devices. I've linked to many resources below and I encourage you to read up on this topic. Certainly read the new guidance doc! That said, no FDA publication can cover every possible scenario. If you're working on a pre-market application (e.g. a 510(k), de novo, or PMA), the circumstances and cybersecurity needs of your device will undoubtedly be specific to your device. I suggest working with a regulatory professional and communicating well with your FDA reviewer to ensure that you're covering all your bases. If you're early in the design phase, or conversely if you're concerned your already approved device might be facing a cybersecurity threat, I encourage you to reach out to the FDA representatives at the Department of Industry and Consumer Education (DICE). They are an excellent resource for all things FDA, genuinely want to help answer all your questions, and you can talk to them anonymously.

Keeping devices safe while staying on the cutting edge of technology will always be a balancing act. This will be an interesting topic to keep an eye on for years to come. 

Further key takeaways on this topic can be read on FDA's industry update page. There is also a link to the slides from a February 2017 webinar about the guidance doc.

 

Further reading:

FDA's cybersecurity info page

Framework for improving critical infrastructure cybersecurity