As medical devices become more digitally interconnected and interoperable, they can improve the care patients receive and create efficiencies in the health care system.
However, medical devices, like computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.
Healthcare cybersecurity is the process of applying a variety of prevention, detection and response strategies to protect hospitals or other healthcare facilities from cyberattacks, to ensure patient safety, business continuity, protection of confidential data, and compliance with industry regulations.
Because they are classified as critical infrastructure, healthcare facilities and hospitals are attractive targets for bad actors. Cyberattacks have been identified as the top threat in many healthcare systems’ annual hazard vulnerability analyses (HVA).
To protect themselves from cyberattacks that could directly impact the health and safety of patients and the community, hospitals and healthcare facilities should adopt proactive protection measures for their connected cyber-physical systems.
By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage emerging cybersecurity risks, manufacturers can reduce cybersecurity risks posed to devices and patients.
Why is securing healthcare facilities important? See below:
▪ Malware attack on a healthcare provider resulted in 250 hospitals losing use of their systems for three weeks.
▪ University-based healthcare network was targeted by a cyberattack which disrupted 5,000 systems. The attack was estimated to cost $1.5 million per day.
▪ Cyberattack on a large Dallas-based healthcare company resulted in significant outages that cost the company over $100 million in lost revenue.
▪ And more recently, a ransomware attack at a French hospital resulted in a data leak and disruption of operations.
Boards and executives at healthcare organizations often view cybersecurity as yet another operating cost, when it should be seen as a risk reduction investment. Furthermore, complex compliance requirements, data privacy and security regulations are more restrictive in healthcare, and with good reason.
On December 29, 2022, the Consolidated Appropriations Act, 2023 (“Omnibus”) was signed into law, with effect date of March 29, 2023. Section 3305 of the Omnibus amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices.
Section 524B(c) of the FD&C Act defines “cyber device” as a device that
(1) includes software validated, installed, or authorized by the sponsor as a device or in a device
(2) has the ability to connect to the internet
(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats.
The requirements in section 524B(b) of the FD&C Act are:
▪ Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
▪ Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems.
▪ Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.
Furthermore, medical device manufacturers must comply with quality system regulations (QSRs), which require that all risks, including cybersecurity vulnerabilities risk, are addressed.
The medical device manufacturer is responsible for the validation of all software design changes.
Off-The-Shelf Software (OTS Software) is a generally available software component, used by a medical device manufacturer for which the manufacturer cannot claim complete software life cycle control. Commercial Off-The-Shelf Software (COTS Software) comes from a commercial supplier.
Finally, medical device manufacturers using an OTS software, bear responsibility for the security as well as the safe and effective performance of the medical device.
There are three types of software related to medical devices:
▪ Software in a medical device (SiMD).
▪ Software used in the manufacture or maintenance of a medical device.
▪ Software as medical device (SaMD).
The term Software as a Medical Device is defined by the International Medical Device Regulators Forum (IMDRF) as
“software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.”
Mobile medical applications (MMA) that meet the definition above are considered SaMD.
Existing regulations are largely for software that is embedded in dedicated hardware medical devices, with emphasis on physical harm, transmission of energy and/or substances to or from the body, the degree of invasiveness to the body, closeness to sensitive organs, duration of use, diseases, processes and public health risk, competence of user and effect on population due to communicable diseases.
Today however, medical device software is often able to attain its intended medical purpose independent of hardware medical devices, when deployed in diverse care settings, on a multitude of technology platforms (personal computers, smart phones, and in the cloud) that are easily accessible.
SaMD are typically connected to the Internet, networks, databases, or servers with varying information security requirements, which results in emergent behaviors not usually seen in hardware medical devices and introduces new and unique challenges:
▪ Medical device software might behave differently when deployed to different hardware platforms.
▪ Often, an update made available by the manufacturer is left to the user of the medical device software to install.
The SaMD information security and privacy control requirements, must be balanced with the need for timely information availability by identifying and implementing safe ways to store, convert and/or transmit data.
