The internet of medical things (IoMT) - the collection of medical devices and applications that connect to healthcare information technology systems through online computer networks - is greatly expanding with the growth of digital health devices. Digital health devices can bring many benefits such as remote patient monitoring, increased patient accessibility, improved patient experiences and outcomes, improved accuracy, easier logistics and reduced healthcare cost, but they also bring an increased risk to patient safety due to cybersecurity threats and medical device hacking (also known as medjacking).
When developing a new digital health device, as well as maintaining an existing device, securing the device from cybersecurity attacks is critical. There is rapid growth of cyber threats - unauthorised access, thefts of sensitive data, corruption of data, disruption of medical care, all of which could impact the safety of patients and device users. For example, as far back as 2017, the FDA alerted the radio-frequency-enable device manufacturer, St. Jude Medical, of a flaw in their devices that attackers could exploit to send malicious programming commands that could result in the draining of pacemakers’ batteries, local device memory storage issues, unauthorised modification of patients’ heartbeats, or the administration of inappropriate electric shocks. In 2023, the Cybersecurity and Infrastructure Security Agency warned Medtronic that their intracardiac devices also have security flaws within their wireless communication protocols which could result in a cybercriminal stealing, deleting, or modifying device data.1 A few of the most vulnerable devices are infusion and insulin pumps, wearables, MRI systems, smart pens, implantable cardiac devices, wireless vital monitors, smart thermometers and temperature sensors.2
Both the European Union (EU) Medical Device Regulation (MDR) and the United States Food and Drug Administration (FDA) recognise the importance of cybersecurity and emphasize risk management to ensure device user/patient safety and data integrity. Proactive and ongoing security risk assessment and vulnerability management are expected to be performed by manufacturers as well as incorporating secure software development practices and incident response plans. It is critical to perform pre-market cybersecurity risk management and post-market cybersecurity risk management.
Managing cybersecurity risks in medical devices, both pre- and post-market, can be described via three key pillars:
- Security Risk Assessment
- Security Architecture
- Security Testing
Security Risk Assessment consists of the assessment of the cybersecurity risks of the digital health device. The assessment is to be done during initial design and continually re-assessed throughout the lifetime of the device as the threat landscape will be continually evolving. Security Risk Assessment involves threat modelling and cybersecurity risk assessment both pre and post market. It looks at the exploitability of risks and vulnerabilities, including those related to third-party software and interoperability, across the total product life cycle.
The next pillar, Security Architecture, consists of the design and implementation of appropriate controls to mitigate risks identified from the Security Risk Assessment. It involves developing security architecture views and incorporating a set of risk controls related to authentication, authorisation, cryptography, integrity of code/ data/ execution, confidentiality, event detection/ logging, resiliency, recovery, updatability, patchability and others as applicable.
The final pillar is Security Testing to demonstrate the effectiveness of the risk controls incorporated within the Security Architecture. Testing of cybersecurity controls goes beyond standard software verification and validation with the addition of vulnerability and penetration testing.
It is also very important that in clinical investigations, as well as throughout the lifetime of the Software as a Medical Device (SaMD), cybersecurity incident response plans and remediation processes need to be in place to effectively manage any cybersecurity incident. The plans and processes need to include timely communication with affected parties, containment of the incident, and implementation of appropriate remediation measures to prevent future occurrences.
ICON has worked with many clients to identify and address critical gaps within risk management processes and documentation. If you need assistance with establishing a Security Risk Management program for your device that aligns with the three key pillars identified by the FDA, ICON can help.
Contact us to learn more about how we can support your digital health device cybersecurity risk management needs.
References:
1 https://hitconsultant.net/2024/07/12/cybersecurity-vulnerabilities-in-implantable-medical-devices/
2 https://www.criticalinsight.com/blog/top-6-hackable-medical-iot-devices; https://www.globalsign.com/en/blog/medical-devices-hackers-target
In this section
-
Digital Disruption
-
Clinical strategies to optimise SaMD for treating mental health
-
Digital Disruption: Surveying the industry's evolving landscape
- AI and clinical trials
-
Clinical trial data anonymisation and data sharing
-
Clinical Trial Tokenisation
-
Closing the evidence gap: The value of digital health technologies in supporting drug reimbursement decisions
-
Digital disruption in biopharma
-
Disruptive Innovation
- Remote Patient Monitoring
-
Personalising Digital Health
- Real World Data
-
The triad of trust: Navigating real-world healthcare data integration
-
Clinical strategies to optimise SaMD for treating mental health
-
Patient Centricity
-
Agile Clinical Monitoring
-
Capturing the voice of the patient in clinical trials
-
Charting the Managed Access Program Landscape
-
Developing Nurse-Centric Medical Communications
- Diversity and inclusion in clinical trials
-
Exploring the patient perspective from different angles
-
Patient safety and pharmacovigilance
-
A guide to safety data migrations
-
Taking safety reporting to the next level with automation
-
Outsourced Pharmacovigilance Affiliate Solution
-
The evolution of the Pharmacovigilance System Master File: Benefits, challenges, and opportunities
-
Sponsor and CRO pharmacovigilance and safety alliances
-
Understanding the Periodic Benefit-Risk Evaluation Report
-
A guide to safety data migrations
-
Patient voice survey
-
Patient Voice Survey - Decentralised and Hybrid Trials
-
Reimagining Patient-Centricity with the Internet of Medical Things (IoMT)
-
Using longitudinal qualitative research to capture the patient voice
-
Agile Clinical Monitoring
-
Regulatory Intelligence
-
An innovative approach to rare disease clinical development
- EU Clinical Trials Regulation
-
Using innovative tools and lean writing processes to accelerate regulatory document writing
-
Current overview of data sharing within clinical trial transparency
-
Global Agency Meetings: A collaborative approach to drug development
-
Keeping the end in mind: key considerations for creating plain language summaries
-
Navigating orphan drug development from early phase to marketing authorisation
-
Procedural and regulatory know-how for China biotechs in the EU
-
RACE for Children Act
-
Early engagement and regulatory considerations for biotech
-
Regulatory Intelligence Newsletter
-
Requirements & strategy considerations within clinical trial transparency
-
Spotlight on regulatory reforms in China
-
Demystifying EU CTR, MDR and IVDR
-
Transfer of marketing authorisation
-
An innovative approach to rare disease clinical development
-
Therapeutics insights
- Endocrine and Metabolic Disorders
- Cardiovascular
- Cell and Gene Therapies
- Central Nervous System
-
Glycomics
- Infectious Diseases
- NASH
- Oncology
- Paediatrics
-
Respiratory
-
Rare and orphan diseases
-
Advanced therapies for rare diseases
-
Cross-border enrollment of rare disease patients
-
Crossing the finish line: Why effective participation support strategy is critical to trial efficiency and success in rare diseases
-
Diversity, equity and inclusion in rare disease clinical trials
-
Identify and mitigate risks to rare disease clinical programmes
-
Leveraging historical data for use in rare disease trials
-
Natural history studies to improve drug development in rare diseases
-
Patient Centricity in Orphan Drug Development
-
The key to remarkable rare disease registries
-
Therapeutic spotlight: Precision medicine considerations in rare diseases
-
Advanced therapies for rare diseases
-
Transforming Trials
-
Accelerating biotech innovation from discovery to commercialisation
-
Ensuring the validity of clinical outcomes assessment (COA) data: The value of rater training
-
Linguistic validation of Clinical Outcomes Assessments
-
Optimising biotech funding
- Adaptive clinical trials
-
Best practices to increase engagement with medical and scientific poster content
-
Decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
Decentralised and Hybrid clinical trials
-
Practical considerations in transitioning to hybrid or decentralised clinical trials
-
Navigating the regulatory labyrinth of technology in decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
eCOA implementation
- Blended solutions insights
-
Implications of COVID-19 on statistical design and analyses of clinical studies
-
Improving pharma R&D efficiency
-
Increasing Complexity and Declining ROI in Drug Development
-
Innovation in Clinical Trial Methodologies
- Partnership insights
-
Risk Based Quality Management
-
Transforming the R&D Model to Sustain Growth
-
Accelerating biotech innovation from discovery to commercialisation
-
Value Based Healthcare
-
Strategies for commercialising oncology treatments for young adults
-
US payers and PROs
-
Accelerated early clinical manufacturing
-
Cardiovascular Medical Devices
-
CMS Part D Price Negotiations: Is your drug on the list?
-
COVID-19 navigating global market access
-
Ensuring scientific rigor in external control arms
-
Evidence Synthesis: A solution to sparse evidence, heterogeneous studies, and disconnected networks
-
Global Outcomes Benchmarking
-
Health technology assessment
-
Perspectives from US payers
-
ICER’s impact on payer decision making
-
Making Sense of the Biosimilars Market
-
Medical communications in early phase product development
-
Navigating the Challenges and Opportunities of Value Based Healthcare
-
Payer Reliance on ICER and Perceptions on Value Based Pricing
-
Payers Perspectives on Digital Therapeutics
-
Precision Medicine
-
RWE Generation Cross Sectional Studies and Medical Chart Review
-
Survey results: How to engage healthcare decision-makers
-
The affordability hurdle for gene therapies
-
The Role of ICER as an HTA Organisation
-
Strategies for commercialising oncology treatments for young adults
-
Blog
-
Videos
-
Webinar Channel