The New Frontier in Medical Devices: Will Innovation Drive Cyber Attacks?
Wearables That Diagnose by Design
We can now peer into our genome and microbiome to assess our individual risk of disease, but soon dynamic data will enhance our ability to choose the most effective medical care. Health related apps, trackers and software create robust data sets with the capacity to move personalized medicine into new territory. The real-time communication of biometric information to physicians, researchers and consumers allows for informed decisions to provide the best quality of care.
With an eye towards the health-monitoring market, tech titans like Apple and Alphabet are expanding their wearable technology to encompass tasks like measuring oxygen levels in blood or abnormal heart rhythms. Disruptive technology like this faces unique challenges in the healthcare industry. The FDA recognizes both the potential and challenges of digital health technology innovation and has partnered with select leaders in the medical device and technology sectors to create a streamlined process for safely delivering these powerful tools to the public.
Regulation That Doesn’t Impede Innovation
To enable innovation in digital health technology, the FDA launched the Pre-Certification for Software Pilot Program. Unlike traditional medical devices, software development is the focus of regulation as opposed to a product. The necessity for frequent updates and upgrades, as well as the truncated commercial cycle of new product roll outs requires a new regulatory process to ensure that innovation is not stifled.
The Pre-Certification for Software Pilot Program aims to create a regulatory framework to review systems for software design, validation, and maintenance to determine if a company meets the required quality standards to become “pre-certified”. Pre-certified companies would benefit from an abridged approval process before marketing new digital health tools, provided the software and internal processes are sufficiently reliable.
Preparing the FDA for the Digital Health Revolution
Not only is the FDA providing guidance on legislation and reinventing regulatory processes, they are also broadening their expertise to prepare for the expansion of digital health technologies. User fees will be used to support new staff members with a deep understanding and practical knowledge of software development and its application to medical devices. Additionally, the FDA is launching an Entrepreneurs in Residence Program to invite organizational and operational input from thought leaders in software development.
The Digital Health Innovation Action Plan details the FDA’s efforts to advance innovation in digital health technology to help people receive the right diagnosis, better manage chronic diseases, as well as, seek preventative care.
Hacking of the Healthcare Industry
Medical devices are creating new vulnerabilities in the healthcare industry that put patient care and personal data at risk. In recent years, the healthcare industry has been hacked more frequently than the financial sector due to the lack of attention to cyber security risk.
Hackers take advantage of inadequate security on medical devices to not only control the device itself, but also as an entry point to access larger hospital networks. Once compromised, hackers can hold patient data or services ransom until a hospital pays the extortion fee. Given the life or death stakes of having access to all the necessary tools for patient care, this tends to be a fruitful target for hackers looking for a quick payment in exchange for handing back data.
In addition to holding data and services ransom, hackers can also access patient data to perpetrate identity theft for financial fraud, or to fill prescriptions and sell them on the dark web. Cyber security in the healthcare sector is an issue that needs to be addressed to ensure the safety of patients’ data and access to quality care.
Innovation at the Risk of Cyber Security
The potential to manage chronic illnesses, collect meaningful data to inform care, and facilitate real-time communication of health information will advance the quality of patient care, but will the pace of innovation out run the attention to cyber security risk?
In the U.S., each hospital bed contains 10 to 15 connected medical devices and each device represents a potential vulnerability to cyber security. These devices are easily discoverable, and while each device is not necessarily vulnerable, the sheer volume and accessibility makes finding an entry point an inevitability for hackers. The diversity of devices and the lack of attention to security checks both by the device manufacturers and the hospitals’ networks create a real security threat. Creating a fast-track to bring medical devices to market by pre-approving companies will exponentially increase risk, if a holistic attention to cyber security is not taken into proper consideration.
Clarity on Regulation
The FDA has been warning the healthcare industry for years about the vulnerability of medical devices to cyberattacks, but these warnings have largely been without consequences. It’s clear that the FDA will be advancing the expectations of cyber security in medical devices, but standardization and clarity is needed.
A legislation from two lawmakers aims to layout a framework to address these issues. U.S. Representatives Dave Trott and Susan Brooks introduced the Internet of Medical Things Resilience Partnership Act to collect and centralize all existing cyber security standards, guidelines, and best practices. The committee will identify gaps and problems, and define actionable solutions and a framework for the IoMT (Internet of Medical Things) developers as a reference. This collaborative approach to securing the already vulnerable landscape of technology in the healthcare industry is a much-needed protection, particularly with the impending expansion of medical devices.