Ravi Subramaniam, director, Conformity Assessment for IEEE SA, outlines the IEEE’s new standards for wireless medical devices in response to the FDA refusing to accept medical devices and associated systems due to cybersecurity concerns.
LeoWolfert / Shutterstock.com
766754320
Connected devices
Technology continues to revolutionise healthcare, including medical devices such as pacemakers and insulin pumps, which are becoming increasingly interconnected. Despite the many benefits from these advancements, they also expose healthcare systems and patients to cybersecurity risks. Cyberattacks via medical devices can be both disruptive and dangerous, with risks including system shutdowns and compromised patient safety.
Health records are valued 40–50 times more than credit card data on the dark web. Following a credit card data breach, a client might cancel the card or even change their social security number. But a patient’s health record cannot be changed. This can result in lifelong consequences.
The U.S. federal government is increasingly more focused on regulating cybersecurity of medical devices. A new mandate by the Food and Drug Administration (FDA), effective 1st October 2023, states the FDA will “refuse to accept” medical devices and associated systems with cybersecurity concerns. IEEE Standards Association (IEEE SA) has developed IEEE 2621, a series of standards for diabetes-related wireless medical devices, designed to be also extensible to all medical devices.
Recognising the need to support medical device manufacturers in meeting the FDA's rigorous criteria and minimising potential refusals, industry stakeholders collaborated with IEEE SA to go a step further in addressing this need by developing a Certification Program for Medical Device Manufacturers. This program is intended and aims to assist manufacturers in aligning with the FDA's mandate effectively and efficiently, while also streamlining the compliance process, and minimising friction associated with FDA evaluations and approvals.
The introduction of these standards and the certification program underscores IEEE SA’s commitment to support the industry’s need to address cybersecurity measures in medical devices while providing a practical framework for manufacturers to navigate the evolving regulatory landscape.
FDA mandate
As connectivity across the globe surges due to the adoption of technology, including wearables, mobile devices, computers, and the Internet of Things (IoT), the emphasis on security has grown significantly to combat threats from cybercriminals. This is particularly true for medical devices, including both clinical-grade and consumer-grade technologies. Ensuring the safety and integrity of the data and information collected by these devices is a major point of concern.
Acknowledging the importance of protecting the data generated and monitored by medical devices, the recent mandate from the FDA marks a pivotal milestone – the ability to approve or refuse a device due to cybersecurity concerns. As technology continues to evolve and intertwine with healthcare, the FDA's proactive stance sets a precedent for prioritising data security and paves the way for a more resilient and secure environment for medical device users globally.
The requirements in section 524B(b) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) note that for medical device manufacturers to take their products to market, they must:
- Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures
- Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems; and
- Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.
IEEE 2621 Series of Standards
The IEEE 2621 series of standards – adopted into the FDA’s catalogue of standards in December 2022 – defines the concept of cybersecurity assurance for wireless diabetes devices (extensible for all medical devices), specifies security requirements, and provides instructions on how to achieve that assurance. Developed by a group of industry stakeholders in concert with the IEEE Engineering in Medicine and Biology Society (EMBS), the IEEE 2621 series addresses the needs of a broad set of diverse stakeholders.
The IEEE 2621 series:
- Helps manufacturers to identify relevant threats, establish appropriate security objectives to counter them, and create security requirements that meet those objectives.
- Provides instructions for manufacturers on how to document the security of connected medical devices and their interoperable components so that they can be used safely with consumer mobile devices such as smartphones in the control of CDDs.
- Because of the increased attention paid to cybersecurity vulnerabilities by regulatory bodies, the development of cybersecurity standards and conformity assessment programs, such as the IEEE 2621 Conformity Assessment Program, may lead to a more consistent and robust approach to developing and supporting security in diabetes devices and by extension, all medical devices.
IEEE Medical Device Cybersecurity Certification Program
To ensure the safety and resilience of wireless medical devices against vulnerabilities, manufacturers must test their products to withstand potential cyber threats. This necessitates a collaborative effort among stakeholders, including device manufacturers, clinicians, hospitals, and testing organisations, to forge a secure and interoperable healthcare environment. To achieve this, the establishment of robust standards and the implementation of an industry-endorsed conformity assessment program are imperative. These measures not only mitigate risks but also serve as a testament to a product's adherence to established guidelines.
In an effort to facilitate a streamlined FDA approval process and provide a conducive environment for manufacturers, the IEEE 2621 Conformity Assessment Committee (CAC) offers the IEEE Medical Device Cybersecurity Certification Program. The program offers a straightforward evaluation process with a clear definition of scope and test requirements specific to medical devices:
- Pre-assessment of your medical device by an IEEE approved lab
- Testing using IEEE 2621 Test Plan and Checklists that remove ambiguity from the process
- Standardized reporting on testing results
- IEEE Certification Mark that helps manufacturers differentiate their products from competitors
- Inclusion of Certified products in the IEEE Medical Device Registry
- Assistance with submission to regulatory bodies
- Meeting FDA submission criteria
Other IEEE SA Standards efforts
The IEEE 2933 Working Group is moving through final stages to publish IEEE P2933: Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS (Trust, Identity, Privacy, Safety, Security). The standard establishes a framework with TIPPSS principles for Clinical Internet of Things (IoT) data and device validation and interoperability including wearables and connected medical devices with EHR (electronic health records) and other remote and in-facility medical devices. It establishes a trust and identity across multiple device levels:
- Device development and manufacturing
- Design lifecycle & management
- Inter-device and cross-systems trust
- Interactions between decentralised environments
- Device-to-human interaction (e.g., support technician, clinical operator, or patient)
- Embraces the Zero Trust Architecture approach
After the publication of IEEE P2933, the group will begin work on IEEE P2933.1 Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS for Clinical Trials Remote Participant Monitoring. Using the existing framework from the original standard, this draft standard will be amended to appropriately interoperate and secure the devices and data for trial sponsors, investigators, and patients where remote monitoring is part of the design study protocol.
Additionally, a new pre-standards incubation program, Zero Trust Cybersecurity for Health Technology Tools, Services, and Devices was instantiated in June 2023. The program will develop a roadmap for a suite of new zero-trust network access (ZTNA) standards that integrate commercial and open-source health technologies to showcase robust security features of Zero Trust Architecture (ZTA) when applied to enterprise healthcare IT use cases. This will include authentication and authorisation of subject and device discrete functions, remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. It will present recommendations to validate and verify selected technologies (devices, platforms, and systems) to modernise standard cybersecurity approaches in healthcare to mitigate hacking, secure data and avoid interruption of work.
The IEEE SA invites all interested stakeholders to participate in the IEEE 2621 Conformity Assessment Committee, and welcomes contributions to the decision-making process, helping to shape the future of medical device cybersecurity. By joining, you can play a pivotal role in forging a secure and interoperable healthcare environment, ultimately benefiting medical device users worldwide.