Marta Dunphy-Moriel, partner, and Alexander Dittel, senior associate in the commercial technology team at Kemp Little LLP, look at how medical device & mhealth products must meet cybersecurity standards.
We have seen an exponential growth in a variety of medical devices and mHealth devices over the last 10 years. Many modern devices rely on “hyper-connectivity” to deliver medical services in new ways and to monitor and diagnose patients remotely. However, this comes at the cost of increased cybersecurity risk.
A medical device will include any instrument, apparatus, software, material or other article intended for diagnostic or therapeutic purposes for humans which does not predominantly rely on pharmacological, immunological or metabolic processes. mHealth products such as fitness, lifestyle or well-being apps are not regulated as medical devices, but they may sometimes face similar challenges.
Medical devices have not avoided disruption through injection, spoofing, denial of service, ransomware and other attacks. We are told about implantable cardiac devices with a wireless transmitter that could be manipulated to deplete the battery or administer inappropriate pacing. Attackers could fatally alter hospital drug dosing systems. In its recent annual report, the National Cyber Security Centre (NCSC) disclosed notifying 51,910 indicators of compromise to the NHS over the year and safeguarded against Russian state attacks aimed at vaccine espionage.
It is clear that poor cybersecurity implementation could affect patient health and expose patient data. The rapidly evolving cyber threat landscape, divergence in technologies and compatibility issues, wireless and mobile capabilities, the large number of stakeholders and the evolving regulation make cybersecurity in medical devices and mHealth apps a real challenge.
Is complying with the law enough?
An increasing number of modern medical devices collect and evaluate diagnostic and other data on a regular or even real-time basis. As a special category of personal data medical data attracts higher information security requirements under the General Data Protection Regulation (GDPR) due to the underlying risks.
Under the GDPR appropriate technical and organisational measures must be implemented to safeguard personal data. This does not translate into a fixed list of security measures but rather into various IT governance and IT management security processes and measures informed by a continuous risk assessment. In the healthcare sector, the risk assessment will focus not only on identifying cybersecurity vulnerabilities and their exploitability, but also the severity of the potential impact on the health of affected patients. With a number of available methodologies, in practice, manufacturers will have to follow good industry practice in order to comply with the GDPR.
Medical devices must be registered with the Medicines and Healthcare Products Regulatory Agency. The Agency’s previous focus on functional and operational safety is shifting towards cybersecurity including lifecycle risks and the danger of security incidents. Digital service providers and essential services providers in the healthcare sector will also have to comply with the Network and Information Systems Regulations 2018. Similarly, medical devices in the EU with obtain the CE mark after a successful conformity assessment. Particularly data-heavy triage tools, symptom checkers and algorithmic decision trees will have to demonstrate that they meet legal requirements, are safe and function as envisaged.
Follow good industry practice
Medical devices should comply with government as well as industry guidance.
The government’s cyber essentials are just the start. The information standards DCB0129 issued by the Department of Health and Social Care mandate the requirement for effective clinical risk management when developing and modifying healthcare IT systems and complex medical devices. The process must be documented and led by an experienced clinician. Each identified hazard must be assessed and counteracted with appropriate measures.
The ISO 14971:2012 standard for risk management in medical devices is not specifically aimed at information security. However, it mandates the requirement of inherent safety by design which carries the general notion that functionality should be automated and manual operations limited to avoid human error.
The European Agency for Cybersecurity (ENISA) has obtained a permanent mandate under EU’s Cybersecurity Act. The recent ‘Cybersecurity and Resilience for Smart Hospitals’ and ‘Procurement Guidelines for Cybersecurity in Hospitals’ show an urgency in improving cybersecurity in the healthcare sector, as does ENISA’s recently launched monthly eHealth Security Conference.
Some of the trending cybersecurity topics include:
With the increased reliance on connected technologies spurred by COVID-19, there are more cyberattacks and hospitals and GP practices with immature cybersecurity remain an easy target.
Manufacturers must build in security for the frontend and backend in accordance with the principle of privacy by design and default.
Manufacturers should provide cybersecurity maturity assessments.
Devices must be supported in the long-term but remote patching may not pass the risk assessment.
Mature incident response services are essential.
Staff must be able to secure the device in case of a security incident, e.g. network segmentation or offline operation.
Business continuity and backup processes are required.
Only secure third party code and components should be used, ideally those certified under one of ENISA’ schemes.
The healthcare sector has been the priority of the NCSC during the pandemic which has supported by deploying experts to help with incidents and helping to rollout active cyber defence measures. Given the healthcare sector’s close cooperation with NCSC, manufacturers should monitor developments and guidance.
Understand your clients’ compliance obligations
Medical practitioners are increasingly reminded to only use secure medical devices and healthcare procurement is becoming more sophisticated. Manufacturers who comply with best practices or maintain certifications will have a competitive advantage.
Manufacturers must understand their clients’ cyber-security obligations, whether they are supplying to distributors or medical practitioners. Devices should be appropriately customised to minimise human error, allow for monitoring, reporting, and integration with security tools. A long-term support commitment will be essential as many older medical devices have been used for much longer than intended by the manufacturer.
NHS professionals will comply with the DCB0160 standards for effective clinical risk management for deploying, using, maintaining and decommissioning healthcare IT systems and complex medical devices. Suppliers will be expected to maintain adequate risk management processes, have a designated clinical safety officer accountable for quality standards, conduct regular risk analyses, maintain a hazard log, and evaluate the system’s deployment.
Functionality that may be desirable for some clients may not sit well with others. For example, suppliers may be keen to incorporate the ability to seek the patient’s consent for commercial use of data, whereas medical practitioners may oppose any misleading practices. Afterall, genuine medical research should be permissible under the statistical exemption under the GDPR.
Ignore developments at your peril
In conclusion, manufacturers and developers must stay on top of cyber threats and industry initiatives in order to satisfy their increasingly aware clients and ensure the protection of medical data and patients’ health as is required by law.