Feature
Cybersecurity: building resilience into the medical device market
With cyberattacks on the rise, medical device manufacturers must invest substantial resources and expertise to mitigate the threat. Sally Turner looks at industry developments and the regulatory landscape and ask how the key challenges in this space can be overcome.
Credit: GettyImages/Yuichiro Chino
Medical devices have become a prime target for cyber-attacks which can have a devastating impact on business operations and patient safety. The COVID-19 pandemic led to an exponential explosion of these incidents, as criminal syndicates, nation-states, and individual actors capitalised on the stress the industry was under.
Devices susceptible to cyber-attack include vital signs monitors, insulin pumps, pacemakers, and devices such as Magnetic Resonance Imaging machines and Positron Emission Tomography scanners. With medical devices becoming more reliant on ‘network connectivity’ there is the increased risk that hospital networks may come under widespread threat putting patients’ privacy, health, and safety at risk.
In the US, a 2022 report issued by the Federal Bureau of Investigation declared that 53% of digital medical devices in hospitals had serious security issues that were previously documented. The same year, the European Union Agency for Cybersecurity (ENISA) published its annual Threat Landscape report, which declared that approximately ten terabytes of data was stolen by cyber criminals every month in 2022 as a result of ransomware attacks. ENISA also reported that approximately 60% of all organisations targeted by ransomware may have paid the ransom demands to mitigate threats to patient safety.
The European regulatory landscape
The security of European medical technologies is currently regulated under the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Medical Devices Regulation (IVDR). These guidelines lay out comprehensive, essential, requirements for digital medical technologies and services, including Medical Device Software (MDSW) placed on the EU market. The MDCG 2019-16 rev.1 guidance on cybersecurity also provides additional advice, and the Cybersecurity Act, General Data Protection Regulation and Network and Information Security Directive is also relevant. This guidance helps to ensure the cybersecurity of a medical device from its inception, design, and development to the end-of-life and decommissioning of the device.
MedTech Europe, the European trade association for the medical technology industry, has recently published a ‘position paper’ outlining Europe’s vision for a resilient medical technology ecosystem. Along with stringent guidelines in this space, the report calls for “measures aimed at improving the level of overall digital literacy, and particularly, cybersecurity skills. The evolving cybersecurity threat landscape coupled with a significant European cybersecurity skills shortage is an untenable situation, and must be addressed.”
Alexander Olbrechts, MedTech Europe Director Digital Health, says the update of the NIS Directive (NIS2) further emphasises the importance and responsibilities of the medical technology manufacturers in the supply chain to ensure a higher level of security in healthcare.
“Also, medical technology manufacturers must ensure that third parties involved in device manufacturing and operation (e.g. hosting) have measures in place from a security and/or internal controls perspective,” he adds, “and support continuous improvement in information security through periodic assessments and certifications by independent external experts.”
In drug development, every storage location and every transport hub is a supply chain risk, Walsh added. As demand for new treatments outpaces transport and manufacturing capacity, the stakes of supply chain management are quickly rising, he said.
US
In the US, the Food and Drug Administration (FDA) has faced criticism over concerns that internet-connected products used in healthcare could be subject to cyber-attack. Under FDA guidance published in March 2023, medical devices are now required to submit specifics on how to ‘monitor, identify, and address’ cybersecurity issues, and make security updates and patches available on a regular basis. The FDA must also re-evaluate its medical device cybersecurity regulations at least every two years.
“The recent FDA guidelines for medical device cybersecurity offer a solid step in the right direction,” observes Charles Fracchia, CEO of Black Mesa Labs and co-founder of BIO-ISAC, an international organisation that addresses threats unique to the bioeconomy. “It is very encouraging to see this momentum and we would love this to include other centres beyond the Center for Devices and Radiological Health.”
Challenges and solutions
Fracchia adds that questions remain regarding products that do not fall under this definition for medical devices. Instruments and equipment used across the bioeconomy, particularly in biomedical infrastructure, require the same security approach and need similar guidance and are not covered by this regulation.
“The FDA needs to embrace cybersecurity as an intrinsic component of safety and expand to have core cybersecurity competency levels at its other divisions, like the Center for Drug Evaluation and Research and the Center for Biologics Evaluation and Research too,” he says. “As one example, language in these guidelines calls for including a software bill of materials which offers important advancements in securing our products at the starting point – the acquisition of software. Yet, we don’t include devices outside the definition of a medical device, and they are needed.”
MedTech Europe applauds legislative intervention aimed at reinforcing shared cybersecurity responsibilities and curbing emerging and expanding vectors of attack used by would be cyber-criminals. However, Olbrechts says the ongoing digital transformation of society coupled with a lagging digitalisation of healthcare institutions, continues to position healthcare as a prime target for malign actors.
“MedTech Europe welcomed the revised Network and Information Security Directive (NIS2) as a means of reinforcing the digital resilience of states and businesses, while ensuring that they increase their investments in cybersecurity,” he says. “While we welcome such legislative intervention, the legislation should be combined with tangible investments in organisations’ security postures, resilience of digital tools and processes, and the investment in people and the skills necessary to deliver on such legislation.”
Credit: Getty Images/fstop123
Future outlook
Effective global cybersecurity strategies require sound actions to improve overall cybersecurity postures and to broaden cyber resilience. Digital literacy, and in particular, cybersecurity skills, plays a key part in this.
Olbrechts explains that action in this space can take many forms, such as investments in cybersecurity education and training at EU Member State’s national curricular level (secondary and/or tertiary), as well as extra-curricular certificates and continuing professional development and life-long learning activities for relevant staff. Public-private partnerships are more important than ever to achieve these goals.
Leveraging the combined expertise of industry, EU Member States, academia, and civil society will be paramount.
“Recent investments have not yet reached that ambition though,” observes Olbrechts “and there still remains a global shortage of a sufficiently educated cybersecurity workforce trained to withstand and respond to the malign cyber activity of today.”
Fracchia agrees and adds that we need to look more broadly at the bioeconomy and identify opportunities for the reinforcement of cybersecurity best practices and, in some cases, regulation.
“New materials, medicines, alternative foods, livestock, and food and beverages – all these all rely on bioproducts that come through cyber-connected equipment. We need cybersecurity to be a priority; it defines our ability to access the entire supply chain, including everyday items like food and antibiotics. There is no safety, without cybersafety.”