Cybersecurity in Medical Device Development and Regulatory Affairs

In the hit television series “Homeland”, a fictional vice president is assassinated by terrorists who remotely hack his pacemaker, triggering a fatal heart attack. This Hollywood plot was inspired by the real-life actions of Vice President Dick Cheney after the September 11 attacks. In an era when Al Qaeda dominated the global agenda, Cheney had his cardiologist disable the wireless function in his heart defibrillator. University researchers in 2008 proved this was a credible threat by demonstrating a software radio-based attack on an implantable cardioverter defibrillator (ICD) in the 175 kHz frequency range.

Cybersecurity is now a key pillar in medical device development, driven by interconnected technologies, evolving regulatory mandates and the growing threat of online infiltration. The health care industry has experienced a surge in cyberattacks since the “Wanna Cry” Ransomware attack against the UK’s National Health System in 2017. 

Malicious hacks have targeted small hospitals as well as some of the largest health care systems in the United States.  At HCA, for instance, cybercriminals obtained access to data for more than 11 million patients by exploiting an external storage vulnerability, exposing names, birth dates, and other sensitive information.

Growing Risk to Devices

The medical industry device has avoided a major cyber assault so far with real-world effects comparable to the ransomware and data theft crimes perpetuated against hospital systems. However, a rapid increase in detected vulnerabilities in products on the market shows there have been many “close calls”. In these cases, a malicious actor could’ve compromised patient privacy and safety if luck and timing had played out differently.

To cite a few examples:

- Medtronic MiniMed 600 Series (2022): The FDA alerted users to a cybersecurity risk in the Medtronic MiniMed 600 Series insulin pump system. Vulnerabilities in the device’s wireless communication protocol that would’ve allowed a hacker to program incorrect insulin dosing, a potentially lethal risk for patients with diabetes. Medtronic made rapid corrections, and the FDA worked closely with the manufacturer to mitigate risks with patients and doctors.

- Fresenius Kabi Agilia Connect Infusion System (2021): Vulnerabilities in this infusion system exposed a way for remote attackers to access sensitive information, modify settings, or execute arbitrary actions as unauthorized users. The manufacturer had to issue software patches and, in some cases, hardware replacements to address the risk.

- Illumina Sequencing Instruments (2022): Cybersecurity flaws in Illumina’s next-generation sequencing devices had the potential to compromise patient results and customer networks, prompting the FDA to notify healthcare providers and recommend mitigation steps.

As the incidents continued to increase, with more smart devices coming online every year, the FDA issued specific cybersecurity guidance in 2023. Device and diagnostic manufacturers need to provide detailed plans for monitoring and disclosing vulnerabilities during the premarket phase. In the post-market period, manufacturers must commit to an ongoing monitoring and disclosure protocol with a requirement to resolve any detected issues within 90 days.

FDA Guidance

In September 2023, the FDA issued a Guidance Document titled, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. The intent of the FDA Guidance document is to ensure device manufacturers address Cybersecurity issues early in the design development process and throughout entire product lifecycles. Manufacturers or Investigational Study Sponsors are now required to provide as part the following pre-market submissions to CDRH and CBER:

• Investigational Device Exemption (IDE) submissions

• Investigational New Drug (IND) submissions

• Premarket Notification (510(k)) submissions

• De Novo requests

• Premarket Approval Applications (PMAs) and PMA supplements

• Product Development Protocols (PDPs)

• Humanitarian Device Exemption (HDE) submissions

• Biologics License Application (BLA) submissions[DP1] 

The agency also established clear expectations around software and data security practices, drawing on protocols used in other industries such as finance and defense. These baselines include:

- Encryption of data in transit and at rest as it propagates between the device, cloud stage and clinical dashboards.

- Multi-factor authentication (MFA) to prevent unauthorized access.

- Role-based access controls (RBAC), ensuring the patients, doctors, technicians and others have appropriate reviews of data and functionality.

- Secure boot and firmware validation since underlying software involved in initial startup and activation often pose a layer of vulnerability.

- Continuous monitoring and logging to detect any deviations and anomalies real-time.

- Regular penetration testing to verify device and system security for every software update.

Finally, the regulatory updates of 2023 articulated clear documentation requirements for cybersecurity. An SBMO (Software Bill of Materials) must identify all software components, including third-party and open-source code. This is essential in premarket submissions for evaluating device risks and mitigating the chance of vulnerabilities found in previous high-profile incidents.

IVD Considerations

In Vitro Diagnostic (IVD) devices pose unique risks due to their role in diagnostic decision making. A bad actor with the ability to manipulate test results could threaten public health at massive scale. Situations where numerous devices are interconnected, common in smart diagnostics, create a “weakest link in the chain” opportunity where a single vulnerability in one device could compromise the entire network.

Cybersecurity is now inseparable from the design, development, testing and regulatory clearance or approval of medical devices. Software development and risk management are key elements for demonstrating medical devices are safe and effective and not vulnerable to cybersecurity risks. Make sure you have a plan to engage partners or internal subject matter experts who specialize in this area as software and hardware become integral to medical product development alongside traditional life sciences expertise. By proactively embedding cybersecurity into every stage of the device lifecycle, manufacturers ensure the ability to thrive in software-enabled medical products, ensuring government compliance as well as patient privacy and safety.

Questions on the cyber security plan for your medical device? Landrich Group can help with an overview of FDA guidelines for clinical trial design and regulatory approvals.