Why cybersecurity is a critical concern for the evolving medical device market


On 9 January, St. Jude Medical announced the release of a cyber security update to its Merlin remote monitoring system. The same day, the FDA issued a safety notice regarding the Merlin @home Transmitter, alerting affected physicians and patients to the relevant software update and potential for security breach. These interventions arose after MedSec, a security firm, exposed vulnerabilities in the monitoring system used by patients with implanted pacemakers or defibrillators.

Similar to St. Jude, medical device giant Johnson & Johnson issued a warning in October 2016 to users of the company’s Animas One Touch Ping insulin pump of a possible security hole. Despite these warnings and the potential for security gaps, companies are not slowing down their development of mobile phone app and cloud-based devices. On 9 January, the same day both St. Jude and the FDA recognized flaws in the Merlin system, orthopedic device manufacturer Orthofix announced FDA and EU CE Mark approval for the next iteration of its CervicalStim and SpinalStim bone growth stimulators. Along with these updated devices, Orthofix revealed its novel mobile phone application, Stim onTrack, created to communicate real-time patient data to physicians as well as alert patients to treatments.

Cybersecurity is an evolving frontier in the medical device market that manufacturers, physicians, and patients alike are attempting to navigate. The global population is becoming increasingly connected, and emerging technologies often exist solely in an app-based format to achieve speedy adoption. The incorporation of real-time data and cloud-based innovations into medical devices certainly presents a number of benefits. For example, physicians will be able to more easily monitor patient compliance to a treatment regime without the need for frequent office visits. This will be particularly useful in rural and developing nations, where access to healthcare is severely limited and follow-up visits are not often possible.

Increased connectivity also leads to increased vulnerability, as illustrated by the St. Jude Medical and Johnson & Johnson devices. Regulations exist for the privacy of patient health information, and devices must meet certain safety requirements in order to receive market approval. However, current FDA and CE Mark regulations are incredibly vague on the issue of cybersecurity in innovative devices. These regulatory bodies only offer guidance and recommendations, essentially depending on the manufacturer to ensure that devices are secure and continually monitored for necessary updates. As the medical device market progresses into an era of cloud-based connectivity, manufacturers and regulatory bodies will need to devote increased attention to cybersecurity risks to ensure patient safety and privacy are maintained.