IoT and medical devices can be a scary combination
Medical devices are undergoing an evolutionary change partly due to the current emergence of the Internet of Things (IoT), opening the door to an entirely new level of complications. Before we dive into details about connected medical devices and some of the benefits and current threats, let me make something perfectly clear: Stolen medical data on the black market is significantly more valuable than debit or credit card numbers, and typically includes far more personal information. Cyber attacks, typically malware infections, are proving successful – despite hospitals deploying a variety of security methods.
As more IoT-connected medical devices are used, cybersecurity vulnerabilities pose a massive threat that proves difficult to control. In theory, successfully hijacking a connected medical device could put patient lives at risk, so there’s a pressing need to get things right the first time.
All of this trouble involving security threats and other problems related to IoT may beg the question, why even bother supporting medical devices with connectivity? Connectivity helps pave the way to deliver enhanced patients diagnosis, along with better monitoring and prevention of potential health problems. Ideally, the likelihood of inappropriate care will be reduced if data is being collected and easily shared in a connected world.
Connected medical devices could help prevent medical errors, according to a recent survey of 526 registered nurses. Currently, nurses and other hospital personnel must take ownership of transcribing information onto paper charts, opening up the door to potential medical errors.
Of course, adding connectivity to medical devices is a complex task, especially with FDA regulations largely unable to keep up with current technology trends. Some cybersecurity experts – and IoT critics – believe that the FDA hasn’t done enough to mandate the growing need for cyber security. However, design controls are legally enforceable under Code of Federal Regulations Title 21 820.30(g), which covers design validation.
As such, manufacturers must include “design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the DHF [design history file].” It’s worth noting that this isn’t just for the medical device itself, but for the process that’s used to push updates once a device is deployed.
Earlier this year, the FDA published a safety notice that warned a connected infusion pump was vulnerable to cyber attack. It was the first time the FDA issued this type of warning, but don’t expect it to be the last.
Medical device manufacturers face problems from a starting concept, through the design process and up to product launch. The use of requirements management software can help medical device manufacturers accelerate innovation, while also achieving various forms of government compliance: FDA 21 CFR Part 820, FDA 21 CFR Part 11, and IEC 62304. The ability to use a proven medical process that features customizable templates from the beginning helps ensure better workflow control for routing, escalation, and approval.
Polarion recently co-hosted a medical device cybersecurity webinar with Siemens, which will be available on-demand in the near future. If you’re interested to hear how IoT is currently impacting medical device cybersecurity and regulation, please check out the on-demand webinar.
Discussing medical devices accessing IoT is a rather confusing mess, with growing disarray as more connectivity is added. Great progress is being made at the federal level, with growing proactive security-related behavior from the FDA, FBI, Department of Homeland Security, and United States Computer Emergency Readiness Team (ICS-CERT). But there are simply very few easy answers.
Using the right software can help make managing complexity significantly easier, so it’s worth a closer look as your company thinks about its newest medical device.
Michael Hoffman serves as Polarion Software‘s Senior Writer and Blog Master, creating content and assisting the company’s marketing team.