I must admit, I felt a degree of relief when the FDA finally got around to issuing draft guidance on the issue of cybersecurity in medical devices earlier this year. As a software and systems engineer, I sit on our dedicated cybersecurity team here at Cambridge Consultants. It’s good to see that data protection is now increasingly on the FDA’s radar, as the issue of patient security is becoming ever more pressing. So here are my top 10 things that every medtech developer needs to know about data protection.
1 Cybersecurity is now essential.
This probably goes without saying but I’ll say it anyway. You can no longer develop a medical device without thinking about connectivity, the benefits it offers and the risks involved. The possibilities are exciting. Patients will communicate with their clinicians more easily, and clinicians will have better information on which to base their treatment decisions. For product manufacturers, it will be possible to monitor device use, offer updates and interact with both patients and clinicians.
But, of course, the risks involved in having confidential patient data flowing back and forth are also significant. Few of us will have forgotten the WannaCry ransomware attack on the NHS in 2018 which cost the taxpayer £92 million after 19,000 patient appointments were maliciously cancelled. Nobody wants that sort of disruption and data breach to happen to them; taking cybersecurity seriously can help manage that risk.
2 The medtech world is struggling to catch up.
Today, you can do just about anything from your smartphone, from shopping to meeting your future spouse. But the bare facts remain – the most secure way to handle patient data is not to share it electronically. And in the risk-averse world of medical development, that has indeed been the default option. However, this attitude is being challenged on a daily basis with the ever more exciting prospects offered by data sharing.
For example, we are currently working on a neurostimulation device for people with multiple sclerosis or traumatic brain injuries to improve their balance. The results are impressive. The device sits on the tongue and stimulates the brain. Within fourteen weeks, a user can go from being barely able to walk to being able to step confidently over an obstacle. Just think of the benefits data sharing could offer from this device to patient, clinician and device manufacturer in terms of real-time information, communication and analysis.
3 Designing cybersecurity is a three-step process.
I advise clients to consider their security options as a three-stage development that needs to be front and centre of their design from the very beginning:
- Identify. You will need to distinguish and record the data (assets) that you need to protect – and identify what you need to protect it from. Plan ahead; cybersecurity shouldn’t be an afterthought and is generally more expensive and less satisfactory if added on towards the end of a project
- Assess. Work out how serious a breach of confidentiality, integrity or authenticity would be, the likelihood of it occurring and what the greatest risks are
- Protect. At this stage, you can move on to developing ways to ensure your assets are safe. Make time in your development plan to perform security-related activities and create the documents and evidence required to convey your security design to regulators
4 Cybersecurity is more than just encryption.
I always say that the cybersecurity for a medical device has three aspects: confidentiality, integrity and authenticity.
- Confidentiality. We want only authorised people or systems to be able to read the data
- Integrity. We want only authorised people or systems to change the data or perform an action
- Authenticity. We want to know that people or systems are who they say they are and that data comes from genuine sources
To enable these three aspects of security to be in place, we usually need to have authentication and authorisation as well. Authentication means we can prove an entity is genuine. Authorisation controls the restrictions around what the authorised entity can do or access.
5 Devices are people too.
Well, not actual people, but we need to be able to trust that information comes from an authentic device, just like we would from a person using their username and password or biometrics. And devices need to be able to trust that any information or commands sent to it comes from a trusted place. We can establish a private root of trust within connected systems, with secure verifiable digital signatures allowing information to be trusted.
6 Be positive about data flow for your customers.
Get connectivity right and the benefits it will bring to the users of your medtech product are huge. For clinicians, they can monitor individual patients in real time far more effectively and also combine this data with machine learning to analyse trends. On a population scale, data can be shared to build up pooled knowledge of, for example, how certain treatments affect patients. Connectivity gives the patient many ways to interact with their clinician and fellow patients, getting notifications, advice and insight into their treatment. Embrace these possibilities and your device will be the better for it.
The team here worked on the Philips Lifeline medical alert system. Aimed at older adults or the vulnerable and worn on a lanyard, it detects if the wearer falls and automatically calls for support through a two-way speakerphone. This device is already on the market and hugely successful. Its cybersecurity needs are high, clearly, but well worth it as it links the user to carers, relatives and clinicians.
7 Data flow can be good for device manufacturers, too.
Connectivity offers specific benefits to medtech companies, too. A device can feed back information on its performance, providing valuable design insights. Updates will be possible, in the same way a smartphone updates its software overnight.
8 Not everything needs to be protected to the same degree.
In terms of the practical efforts that go into your cybersecurity planning, remember that not everything needs to be protected. Using a risk-based development process allows you to put the most effort and resources into the high-risk items.
9 Think of the future.
You need to consider how to detect and respond to issues once the device is out there. Medical devices can be on the market for decades. Can you offer security updates once quantum computers are available, and the level of security you originally implemented is no longer sufficient? In the future life of the product, will changing the design affect data safety? Your security will need checks to ensure it continues to work as it should, so post-market surveillance needs to be in place throughout the life of the product and include cybersecurity.
10 To conclude.
While medtech is traditionally risk averse and often values safety above innovation, this mindset is currently being challenged by the exciting potential that data sharing offers. Maybe we can have both. The key to making the most of these opportunities is to get the right cybersecurity in place, so be sure to factor it in to your design from the outset.