Much-needed regulatory update will place more onus on healthcare equipment manufacturers
The digital security of medical devices will face added scrutiny in forthcoming rules issued by the European Union.
Set to come into force this May, the updated EU Medical Device Regulation (MDR) will see manufacturers of medical devices and healthcare equipment, from contact lenses to pacemakers, adhering to more stringent standards throughout a product’s lifecycle.
The aim is to improve patient safety across one of the world’s largest markets for medical devices, which accounts for an approximate €110 billion ($125 billion) in annual sales.
Particular attention has been paid to IoT medical equipment and products that have programmable electronic software.
Devices destined for the European marketplace will now have to undergo approval through a risk classification system that puts onus of cybersecurity predominately on the manufacturer.
Keeping pace with developments
Multiple examples of product recalls caused by critical software vulnerabilities has prompted the need for enhanced safety across the medical technology (MedTech) marketplace.
One of the more notable examples occurred in 2016 when a digital insulin pump made by a Johnson & Johnson subsidiary was found to have a security vulnerability in its radio frequency communication system.
The flaw could have allowed an attacker to gain unauthorized access to the device system with mitigation amounting to the insulin pump no longer functioning as intended.
The Animas OneTouch Ping insulin pump was pulled from shelves a year later, with approximately 90,000 individuals using it or another Johnson & Johnson product, the Animas Vibe, at the time of discontinuation.
Pacemakers, which have seen digital advancement come flooded with warnings from the infosec community, have also been susceptible to recall, including action taken by the US Federal Drug and Administration (FDA) in 2017 to remove six types of Abbott pacemakers, nearly half a million devices, over cybersecurity risk.
Rusty Carter, vice president of product management at Arxan Technologies, thinks that consumers, who are normally held responsible for implementing device security patches, have driven change towards manufacturer accountability.
“Clinicians are a critical component in building awareness, as they are the least likely to understand the security aspects of manufacturers, clinicians, and patients, and needs to maintain patient safety,” Carter told The Daily Swig.
“They [clinicians] are typically prescribing, recommending, selecting, or installing devices.”
Secure by design
The updated MDR strives to lessen the burden placed on medical practitioners by requiring device manufacturers to develop software with appropriate access controls and protection of data, both stored and in transit.
“Weak access control may allow malicious modification of the operation of an implanted cardiac device,” states a document published by the Medical Device Coordination Group (MDCG), which issues cybersecurity guidance to device manufacturers under the new MDR.
“During an emergency, the medical personnel must be able to access an implanted cardiac device without restrictions, but strong security measures need to be in place under normal operating conditions.”
A surge in cyber-attacks on the technologically fragmented IoT infrastructure – attack traffic having increased by three-fold in 2019, according to the cybersecurity firm F-Secure – has partly driven the change for conformity in healthcare device security standards.
The ever-expanding number of attack vectors means that vendors much have the foresight to account for any potential environmental hazards, like an unsecured USB drive or poor physical security considerations, while maintaining device usability.
Certified healthcare professionals
Vendors that are impacted by the MDR must receive certification approval of their device through an accredited Notifying Body, which will ensure the health tech supplier falls in line with the security considerations outlined in the rules.
These Notifying Bodies are also responsible for issuing fines or requesting product recalls. The General Data Protection Regulation (GDPR), the NIS Directive, and the Cybersecurity Act all work in conjunction with the MDR in the corresponding EU member state.
France's Notifying Body, the National Agency for the Safety of Medicines and Health Products (ANSM), issued draft cybersecurity recommendations in July last year, in order to assist with the European Commission’s implementation of the new device rules.
The draft recommendations “set out the key principles without expanding on the technical details, which would otherwise quickly render this document obsolete given the rate at which both medical devices and attacks can develop,” the document (in French) issued by the regulator states.
But striking a balance between security and functionality is no easy feat, and one that sounds like added cost to manufacturers, who will find themselves forced to support multiple versions of the same product in line with the MDR.
This involves published technical documentation of the product, post-market surveillance of the device, and manufacturer’s responsibility to issue software updates in the event of a reported security vulnerability.
The push for even the most basic security requirements has received some blowback, however.
MedTech, a European trade association representing the medical device industry, for example, told MobiHealthNews last year that the MDR had “far reaching consequences for the industry”.
“It sets out new and far more stringent requirements for medical devices, which will affect clinical evaluation, conformity assessment procedures, traceability and market surveillance, among other obligations,” commented Oliver Bisazza, director for regulations and industrial policy at MedTech.
“Considering the significance of these changes and the operational issues they raise, there is widespread concern in the industry that many actors will be unable to fully comply with the MDR by the general date of application.
“This could negatively affect the availability and safety of medical devices in the European Union.”
The MDR is set to come into force on May 26, 2020, following a three-year transitional period for manufacturers that began in 2017. Medical devices in the EU were previously regulated by directives that hadn’t been amended for over 25 years.
Even with the allocated transitional period, however, MedTech associations have remained vocal about the new cybersecurity efforts set out by the EU, with a survey of 230 medical device manufacturers last September finding that only 27% of respondents expected to be in compliance with the MDR come the May deadline.
The study, produced jointly by the Regulatory Affairs Professionals Society (RAPS) and multinational accounting firm KPMG, highlighted market fragmentation concerns and heightened risk to patient safety if devices left the European marketplace as a result of EU regulation.
Another issue that has become apparent through industry upheaval is a lack of coordination process to oversee the MDR’s implementation. A database, Eudamed, that is meant to centralize information under the MDR, providing additional transparency over product assessments and security advisories, has been delayed by the European Commission until 2022.
The MDR will come into force this May regardless, but without a centralized method to ensure safe and informed procurement, the new rules are likely to leave medical practitioners out in the dark.
“In a hospital there are the people who are buying medical devices and most of them aren’t real medical professionals,” Jelena Milosevic, a paediatric nurse in the Netherlands, told The Daily Swig.
“The board and management are making decisions of what you can buy, and what they want to have.”
Digital devices are sold on a promise of expedited healthcare, Milosevic said, and with little influence from the clinicians who use them.
“That’s the biggest problem,” she said. “We’ve got an innovation lobby that’s pushing for new digital devices and healthcare products that are connected to your phone.”