Cyber security involves safeguarding the integration of medical devices, networking, software, and operating systems from attack, damage or unauthorised access.
Advancements made in networked technologies have raised the bar for the need to address unintended safety, privacy, and cyber security issues. The FDA regulates the cyber security of software so that medical devices can be marketed to assure benefits to patients and outweigh risks.
In 2011, the FDA issued the Medical Device Data System (MDDS) rule, which includes software and electronic or electrical hardware (including wireless) used for medical purposes. This applies to devices from class III (high risk) to class I (low risk) and also to systems that act as a mechanism to transfer, store, convert, or display medical device data without controlling or modifying the function or parameters of a connected medical device such as software that stores blood pressure information of a patient to review at later time. However, in 2015, the FDA republished MDDS rules stating that low-risk devices such as medical image storage devices need not comply with the rule as they pose low risk to cyber security threats.
Networked technology in medical devices offers many benefits such as increasing patient mobility by eliminating wires that tether a patient to a medical bed; providing health care professionals the ability to remotely programme devices and providing the ability to physicians to access and monitor patient data regardless of their location.
GLWACH's eICU pilot program. Source: General Leonard Wood Army Community Hospital
Bitglass’ Healthcare Breach report states that 40% of 2016 healthcare data breaches included non-privileged access to protected health information. With more software-driven diagnostic, monitoring, and treatment systems becoming wearable and implantable, the risks of potential cyber security threats is also amplified exponentially, exposing them more to be exploited by hackers.
To limit cyber security risks to medical devices, it is essential that manufacturers implement comprehensive cyber security risk management programmes and documentation consistent with quality system regulation (QSR), including complaint handling, quality audit, corrective and preventive action, software validation, risk analysis, and servicing.
Initiatives should be encouraged to enhance education and awareness among stakeholders, such as clinical engineers and physicians, for developing policies and processes that address robust security requirement for networked medical devices. The industry should also engage with the security community or third-party specialists to access network intrusion and provide solutions to foreseen cyber threats.
The future of technology lies in its ability to improve the quality and relevance for patient care. Health care organisations need to balance protecting patient safety and promoting the development of innovative technologies with improved device performance so as to safeguard the protected health information and safety of patients under their care.