By Eric Distad
When I think of cybersecurity, the images that come to mind are nefarious hackers trying to steal personal identification from credit companies, spies breaking into government data repositories as part of an elaborate espionage plot, or even Keanu Reaves hacking into the Matrix to overthrow an out-of-control artificial intelligence. One thing that does not immediately come to mind is medical devices. That, however, is something we in the device industry should be in front of.
If my recent attendance at the Heart Rhythm Society in Chicago is any indication, computer technology continues to play a critical and growing role in the medical device industry. Row upon row of booths displayed devices that ranged from small, wearable heart monitors to implantable defibrillators, all run and monitored by software, much of it on a network of some kind. Any medical device that is on a network and sends, receives or stores information can be a target.
Does it seem likely that someone would go through the trouble to hack into an insulin pump to administer someone a lethal dose? Probably not. However, if ransomware can be used to hold someone’s credit card information hostage until they pay a “fee” to have it released, how long before the hackers figure out they could probably get a lot more ransom by holding life-saving information or treatment hostage? And while the likelihood of someone hacking into a defibrillator is low, the result of such an action would not be. This is something medical device companies are being forced to consider as they struggle with the high-tech problems that go with their high-tech products.
Medical device companies aren’t the only ones who have this on their mind; the FDA has been thinking about it too, and has issued guidance documents for management of cybersecurity in both pre- and post-market settings. The pre-market guidance document, issued in December 2014, recommends a proactive approach in thinking about cybersecurity, and includes a five-point list of cybersecurity information to include in pre-market submissions for applicable devices. [1]
The post-market guidance document, issued in December 2016, again notes the threat that networked medical devices face and encourages manufacturers to think about how they will approach the issue throughout the product’s life cycle.[2] Evaluation of cybersecurity risk for devices is largely dependent on the impact on patients if exploitation occurred and whether that risk is sufficiently controlled.
The post-market guidance offers recommendations on how to asses this risk based on likelihood of exploit, the impact of exploit on patient safety and device performance, and severity of patient harm if exploited. Guidance is provided for when updates made to protect against potential risks need to be reported, and the document also provides a list of what the FDA considers to be critical components of a robust cybersecurity risk management program.
As medical devices become more technologically advanced, the issue of cybersecurity will continue to be one that developers and CROs are forced to consider and address in order to adhere to FDA guidance and protect patient information and safety. While hacking into a medical device may not seem as appealing to criminals as, say, hacking into the Pentagon, it is our responsibility as researchers and manufacturers to be prepared should they decide to turn their attentions to the medical device sector. Syneos Health is ready. Are you?
For more information about our Medical Devices development experience and Medical Devices regulatory consulting, click here.
[2] https://trapx.com/fda-final-guidance-post-market-management-of-cyber-security-in-medical-devices/
About the Author
Eric Distad has been in the clinical research industry for 20 years, with various roles that have culminated in project management. The majority of his experience is with Class III medical devices supporting cardiovascular (coronary, peripheral, and carotid stents; AAA and TAA stent grafts; CHF/mitral valve insufficiency) and orthopedic (prosthetics and joint fusion) IDE studies, with additional work in diagnostics, human factors, and combination devices studies. He also has experience in urology, muscular dystrophy and rheumatoid arthritis trials. Eric has worked for both sponsor and CRO companies large and small, and has been involved in projects from protocol development through successful PMA submission. Throughout his career, he’s prided himself on open communication and building strong relationships with customers and team members, resulting in clinical programs that are not only completed successfully, but are a positive experience for all involved.
