Global Cyber Threats Are Now Targeting Medical Devices
A hostile, controlling government launches a coordinated ransomware attack on computers across the globe. In under a day, this attack infected over 200,000 computers across more than 150 nations. This shut down medical devices like MRI scanners and blood-storage refrigerators. The attack diverted patient-filled ambulances and left doctors at the operating table in limbo.
This isn’t a New York Times best-selling political thriller. This describes the real-world 2017 WannaCry ransomware attack. It put thousands of lives at risk and caused about $4 billion in economic damage.
A hacking group started the WannaCry attack. They exploited weaknesses in old Microsoft Office systems, encrypting important information and demanding Bitcoin as ransom. The U.S. believes North Korea launched the attack because of economic sanctions related to its nuclear program.
Naturally, medical device shortages due to ransomware threats are now one of the FDA’s top cybersecurity risk priorities. The risk is great, and the threats are growing, impacting the entire medical device industry.
Why Internet-Connected Devices Are So Vulnerable
Roughly 20 to 30 billion medical devices in the U.S. now connect to the Internet of Things (IoT). These IoT devices include infusion pumps, insulin pumps, pacemakers, and ventilators. Moody’s report shows one IT security firm saw cyberattacks on healthcare customers jump almost 10,000% from 2019 to 2020.
Manufacturers didn’t build many medical devices in operation today with cybersecurity risks in mind, leaving them vulnerable to attack. This is especially true for those with outdated hardware, software, and protocols. The FDA has stressed the importance of a total lifecycle approach to managing cybersecurity risks in new medical devices. They also believe manufacturers should consider these risks early in the medical device design process and approval.
Understanding FDA Cybersecurity Requirements for Medical Devices
Regulations addressing cybersecurity risks in new medical device development will undoubtedly proliferate and become more complex. However, due to the fast pace of technological innovation and new threats, regulators are always trying to keep up. This means meeting FDA standards will become harder in an already tough approval process.
Here’s what MedTech and life sciences companies need to know about medical device regulation.
Is Cybersecurity Legally Required for Approval?
The flaws of sectors like healthcare to cybersecurity threats have grown due to recent ransomware and cyberattacks. Surprisingly, no U.S. law directly forces medical device manufacturers to prioritize cybersecurity for their products, whether before or after they sell them.
The FDA now includes cybersecurity in its Current Good Manufacturing Practices (CGMPs) found in the Quality System Regulations (QSR). The QSRs ensure medical device manufacturers make and maintain medical devices to a standard. They also find and fix quality issues, which helps keep the devices safe and effective for users throughout their lives.
According to QSR rules, medical device makers in the U.S. must show good cybersecurity design controls. This is part of the premarket application (PMA) and 510(k) submission process. The FDA has recently worked to align QSR requirements with international standards like ISO 13485. Its draft guidance on cybersecurity in medical devices during the premarket submission process shows this.
Key Elements the FDA Looks for in Premarket Submissions
This draft guidance outlines key elements that should be considered in the medical device design process and development, including:
- “identification of assets, threats, and exposure;
- assessment of the impact of threats and risk on device functionality and end users/patients;
- Assessing the likelihood that a threat will exploit a weakness;
- determination of risk levels and suitable mitigation strategies; and
- assessment of residual risk and risk acceptance criteria.”
Start Early: Designing Cybersecurity into Your Device Architecture
The Department of Health and Human Services (under which the FDA operates) shared its budget. It stated that new medical device makers must show proof of cybersecurity features built into their device design.
Kevin Fu, the FDA’s acting cybersecurity director for devices, says strong threat models are key early in device design. This helps reduce the risks of ransomware and other outside threats.
“Ransomware is a symptom of shortcomings in threat models during early medical device design.”
“When you apply a proper threat model to medical devices, you can design them to withstand ransomware’s damaging effects.” —Kevin Fu, CDRH Acting Director of Medical Device Cybersecurity
The FDA’s guidance on cybersecurity considerations in the premarket submission process highlights the importance of addressing cybersecurity risks early in design and development. Finding potential cybersecurity problems early in the medical device design process can help make pre-market approval easier. This also prevents extra costs and delays from redesigning the device.
Tailoring Cybersecurity Controls to the Risk Level
The QSRs include many medical devices, from pacemakers to basic surgical tools. They design them as a flexible framework, not a strict set of rules.
The Food and Drug Administration has defined the key elements of a quality system. However, each manufacturer must decide the right procedures and processes. This decision depends on the maker’s resources, the risks involved, and the need for each QSR element.
Using the IMDRF Framework for Cyber Risk Analysis
The International Medical Device Regulators Forum (IMDRF) has guidelines for medical device cybersecurity. These guidelines help analyze cybersecurity risks during the design of medical devices. The IMDRF is a global group of medical device regulators, including the FDA. They’re working together to speed up the use of an international medical device regulatory system.
The IMDRF emphasizes that risk analyses should focus on the risk of patient harm, which is impacted by both:
(1) How easily threats exploit weaknesses, and (2) how severely exploiting a risk harms patients.
According to this approach, the level of cybersecurity controls needed for a device depends on its use. It also depends on the risks, weaknesses, and the environment where users will use it.
Which Devices Need the Most Cybersecurity Controls?
Connected medical devices, like those online or networked, need stronger design controls than standalone ones. Pacemakers and brain stimulators can cause more patient harm in a cybersecurity breach than diagnostic or imaging tools.
Avoiding Common Cybersecurity Mistakes in Device Design
One mistake medical device innovators often make is seeing QSR compliance as a simple task. They think they can do it later or as needed. Quality isn’t just an afterthought you add to the medical device design process.
Manufacturers design the QSRs to ensure quality system principles are part of the design process. This helps create a safe and effective product. For cybersecurity, medical device developers must consider the product’s entire lifecycle.
They need to identify flaws and risks at each stage and design their product to reduce those risks. The best way to do that is to start early and build these considerations into the process.
Manufacturers must integrate effective cybersecurity into the quality system process from the outset. Using quality system principles early in the design process will help create a careful approach to design validation. This will also improve documentation. It will ensure manufacturers reduce cybersecurity weaknesses and their impacts throughout the product’s lifecycle.
Beyond Design: Sustaining Device Cybersecurity Through Ongoing Management
Even with strong product design and excellent design controls in the early stage of product development processes, device manufacturers face a changing threat landscape. The medical device industry constantly battles new forms of cybersecurity vulnerability. Meeting initial regulatory requirements is simply not enough.
For true safety and effectiveness, continuous vigilance is key. The Food and Drug Administration (FDA) increasingly focuses on a total product lifecycle approach. This means protecting devices from their initial concept through post-market surveillance and beyond. Adaptation to real-world threats is essential to maintain high levels of security.
To achieve this, team members must focus on regulatory compliance. Integrating international standards into daily business processes is also crucial. This proactive approach helps mitigate risks and ensures continuous device cybersecurity.
Why Regulatory Experts Are Key to Premarket Success
In my years of helping medical device companies, I’ve seen that a big problem is not having a skilled team. This team should include an expert in quality systems regulation and process design. This is especially important when designing a new medical device to handle cybersecurity risks.
The FDA is changing its rules for checking cybersecurity risks during the premarket approval process. The changes aim to address new threats. Medical device sponsors need a trusted advisor who can help them stay in step.
How Crowley Law Helps You Navigate FDA Cybersecurity Compliance
Crowley Law LLC is a full-service law firm for tech and life science companies. We have years of experience in tech and life sciences, giving us a strong network of experts. We can help you deal with the regulatory challenges that come with developing new medical devices.
Cybersecurity is an important issue for new medical device makers. They should consider it early in the medical device design process and development. Crowley Law LLC is a boutique law firm. We focus on providing legal advice that fits your company’s specific needs.
Contact us for a consultation. We can help you gain the best legal advantage for your new product launch.