Five ways pharma and MedTech companies can ensure cyber security and trust in their digital health solutions

Abstract

Drug delivery and medical devices are increasingly becoming connected, offering real benefits to patients and healthcare providers. Such advances offer care that is safer, faster, and more convenient for patients. Patients who get information on their mobile phone on whether they have administered their drug dose correctly, for example, will not need to visit the clinic as often. These connected devices are vulnerable to a range of cyber threats with several incidents being flagged by the FDA. Addressing cyber risks requires focussed effort from the early stages of the design of the device and throughout its lifecycle. The article outlines key recommendations to help reduce the cyber risk of connected medical devices and ensure cyber security is embedded into the design.

Drug delivery and medical devices, from pacemakers to diagnostics, are increasingly becoming connected and offering real advances in the delivery of healthcare. These devices contain software that connects to the external world to share or receive data, and provide benefits such as compliance, adherence and monitoring vital signs. It is essential to ensure these devices are cyber secure.

In addition to being increasingly connected, devices such as wearables, implants, and drug delivery systems are becoming more advanced, using data analytics and machine learning technologies. These advances offer care that is safer, faster, and more convenient for patients. For example, patients who get information on their mobile phone on whether they have administered their drug dose correctly will not need to visit the clinic as often. Connected pacemakers can be programmed remotely based on changes in the condition of patients’ hearts which can prevent more invasive intervention. Diabetic patients using their connected mobile app in a closed loop with blood glucose meters and insulin pumps can ensure their blood glucose levels are maintained. Most hospital systems from x-rays, CTs and MRIs are connected, often through wired connections, to support with troubleshooting or transfer of patient data across the healthcare systems.

While connected devices have immense potential to improve patient outcomes, real vulnerabilities exist in digital health solutions⁵:

• Insulin pumps in the market found to be remotely exploitable through multiple attack vectors.
• Some implanted defibrillators were found to contain vulnerabilities that would allow them to be exploited by attackers who had the right knowledge of the devices.

These vulnerabilities, if exploited, could cause significant harm to patients such as:

• Patients missing their doses due to compliance software failing.
• Drug delivery device failures leading to over or under dose.
• Inability to use the device due to denial of service or ransomware.
• Data leaks impacting patient privacy.

To put these aspects in perspective, it is expected that there will be 14 billion connected devices in use by 2022¹ with many likely to be related to healthcare/wellness and medical applications. There are over 350,00 digital health apps currently available to consumers². According to, IQVIA’s new Digital Health Trends 2021 report, there were more than 90,000 health apps released in 2020¹. The trend increasingly shows movements towards connected devices and digital health and asks the question whether such movements translate into patient centric solutions without compromising safety and efficacy of the devices due to cyber threats.

Recommendations for developing safe connected devices and digital health apps from a cyber security perspective

Embed cyber security requirements in the architecture from the start of development

Developing cyber security requirements during the design input phase helps to ensure security is baked into the solution, and not added in retrospectively, reducing the risk of increased project costs and complexity. The lack of a unified global standard makes designing cyber security into solutions a complex undertaking as there is no established industry wide approach.

We recommend starting with understanding the target markets for the medical device to gather intelligence on the applicable cyber security regulations, standards and guidelines. This can be used to generate a single set of cyber security requirements which are aligned with all the desired target markets, in the form of a requirements matrix. This matrix covers both product and process-based requirements. These requirements will then need to be customised to the medical device, taking in to account both the intended use and capabilities of the device and associated digital solution.

Ensure regulatory requirements are considered along with other medical device standards and regulation

In the EU, the cyber elements of the Medical Device Regulation 2017/ 745 and EU In-Vitro Diagnostic Regulation 2017/746 need to be addressed. Many device manufacturers have limited awareness of the cyber elements in the EU Directives, and much is left to the medical device manufacturers to interpret. In the US market, FDA guidance covers both pre-and-post market considerations for cyber security, but some aspects of the guidance require customisation for the specific device. Data privacy regulations also form an important part of the compliance assessment.

For EU markets we recommend a review of the EU Directives to extract the relevant cyber, data privacy and IT security clauses, which can be used to ensure these regulatory requirements are well understood at the outset of the project.

For the US market, the recent Executive Order on “Improving the Nation’s Cybersecurity” needs to be considered, along with other FDA guidance, as this signals the US administration’s direction of travel for critical infrastructure and similar services, including medical devices.

Include a cyber security expert on your development team throughout the program

Medical device projects typically involve multi-disciplinary teams covering hardware, embedded firmware, software, mobile app and cloud developments. The primary focus of these teams is delivering a viable product, and cyber security considerations can often be pushed to a latter phase, leading to more serious issues downstream resulting in rework and delays.

By having a cyber-SME working with the development teams, key cyber security issues related to standards and regulations can be addressed early, driving up compliance and saving cost. It is important for the cyber-SME to be approachable and solution oriented, helping the team move forwards with building security into the product architecture. Adopting a risk driven approach is recommended, as this ensures cyber security controls are proportionate to the risks of patient harm or data leak. The TIR57/2016 guidance, “Principles for medical device security – Risk Management”⁴ is a key document to guide the process. It is important to note that the cyber risk and safety risk analysis processes are distinct, but there is a requirement for the interplay between the two processes.

Security testing during the development to gain confidence

There is a perception that security testing (often referred to as PEN testing) ensures cyber security has been addressed. The reality is that security testing is typically scheduled at the end of the verification phase or even just prior to production. Issues discovered at this late stage can require significant rework, particularly for low-power devices with minimal computing power.

The focus of effort needs to be on secure by design principles and cyber risk management. To reduce risk, we recommend that initial security testing is conducted at component level (embedded device, cloud, mobile app) as early as practically possible and then scheduled at relevant stages through the development lifecycle. The skills required to security test a connected device, a mobile app and a cloud service are different, often leading to a need to engage multiple security experts or cyber testing providers.

Help patients be active participants in keeping their devices/apps safe and updated

Finally, there is a role for patients and caregivers to play to keep their connected devices and apps safe. Technologies and threats change with time and therefore post market processes are required to maintain them.

It is important to have software updates which are easy for patients to install or are applied automatically. Device manufacturers need to offer a range of services to support products in-life, such as registration, device recalls, vulnerability reporting and vulnerability disclosure to regulators. The use of medical device Information Sharing and Analysis Organisations (ISAOs) is advised, to ensure latest intelligence on cyber threats, risks and alerts can be actioned.

Cyber security in connected devices and digital health

The healthcare sector is rapidly moving towards connectivity and complexity at the same time, largely driven by the demand in the market of patient driven solutions. The pharmaceuticals and medical device companies are catching up with the demand, mainly due to the complexities of the digital solutions and limited resources available with the relevant experience. The regulatory requirements are constantly evolving at the same time.

The businesses that develop safe, effective, and patient centric solutions, will lead the way in the future economy.

References and notes

¹ Market size and connected devices: Where’s the future of IoT? - Bosch Connected World Blog (bosch-si.com)

² Over 350K digital health apps are flooding the market - here’s how apps can stand out - Insider Intelligence Trends, Forecasts & Statistics (emarketer.com)

³ IQVIA Digital Health Trends 2021

⁴ TIR57/2016 guidance “Principles for medical device security – Risk Management” from the Association for the Advancement of Medical Instrumentation (AAMI).

⁵ Safety Communications | FDA