Introduction – IoT in Healthcare
Medical device security is a critical concern for patients, healthcare providers, and manufacturers alike. The FDA has passed legislation on the topic to help ensure that medical devices are designed, developed, and maintained with security in mind. In this blog article, we will explore the FDA’s legislation on medical device security, including key recommendations and considerations. Make sure you’re ready!
The Internet of Medical Things – IoMT and Medical Device Security
The digital healthcare market is one of the fastest-growing segments of connected devices and a vital part of the healthcare industry. It’s estimated that by 2024 there will be 94 million connected medical devices worldwide (Source). While these devices can improve patient care and reduce treatment costs, they can also be vulnerable to bugs, cyberattacks, or even total system failure.
Regular, secure software updates are an essential part of keeping connected medical devices and their users safe. OTA updates are crucial because they allow for the remote management and protection of millions of devices that could not be feasibly serviced manually because they are too numerous or inaccessible (think pacemakers).
Not only are OTA updates crucial, but they are also an FDA-enforced requirement for medical devices that applies to any submissions made after March 29th, 2023. These regulations have contributed to a global trend in which spending on medical device security is growing rapidly. In fact, the medical device security market was valued at $6.23 billion in 2019 but is expected to nearly triple by 2027, reaching $17.49 billion (Source).
Why is IoMT Device Regulation Necessary?
- IoMT devices handle sensitive medical data, which makes potential breaches very harmful. Any breach of this information can have dire consequences for patients, such as identity theft, financial loss, or medical fraud.
- These devices are responsible for the well-being of patients and users, meaning any malfunction could present the risk of physical harm or even death.
- IoMT devices have the potential to serve as entry points for malicious attacks on healthcare networks, particularly in hospitals, which can lead to the disruption of critical care and incur significant financial costs. A single compromised device could render the entire hospital network susceptible to attacks, causing delays in vital procedures such as surgeries.
- Medical devices can even be used as part of terror attacks where life-saving devices are tampered with, causing fatal harm to users. For example, a terrorist may tamper with a patient’s ventilator or pacemaker, causing the device to malfunction and potentially harm or kill the patient. Terrorists may also alter the dosage or composition of medicines, causing adverse reactions or even death.
FDA Guidelines for IoMT Device Software Updates
In response to industry concerns about these growing risks, the FDA passed legislation for medical devices or digital health technologies (DHTs). FDA guidance on updating IoMT devices can be found here.
The short document details the processes and procedures required by the FDA as well as which kind of medical devices the guidelines are applicable to.
Guidance specific to medical device software updates can be found in subsections (b)(2)(A-B) of the legislation.
It states that any person who submits an application or medical device submission that qualifies as a “cyber device” (defined in subsection (c)) must:
“(2) design, develop, and maintain processes and procedures to provide a
reasonable assurance that the device and related systems are cybersecure, and
make available postmarket updates and patches to the device and related systems
to address—
(A) on a reasonably justified regular cycle, known unacceptable
vulnerabilities; and
(B) as soon as possible out of cycle, critical vulnerabilities that could
cause uncontrolled risks;” (Source).
What Counts as a Software Update?
The two main categories of IoMT software updates are minor updates and major updates.
Minor updates are changes that do not present a significant chance of affecting a device’s safety or effectiveness. Changes like bug fixes, small security patches, and user interface (UI) improvements would all fall under this category.
Major updates are changes that could significantly affect a device’s safety or operationality. Examples of major updates include adding new features and functionality to a device or changing the device architecture significantly. The FDA defines major updates as those that “significantly changed or modified in design, components, method of manufacture, or intended use” of the device (Source).
When Do You Need FDA Approval to Send IoMT Device Software Updates?
The answer is that it depends on the scope of the update.
Minor updates might not require FDA clearance, but documentation and validation of the update are required.
Major updates might require FDA clearance or approval depending on how the update could impact the device’s safety or functionality. If the update significantly impacts the device’s utility or presents new risks to patients, the manufacturer must submit a new 510(k) or premarket approval (PMA) application to the FDA.
For more information on determining whether or not your software update requires a 510(k) submission, see this guide.
Conclusion
Software updates are absolutely essential for improving the safety and effectiveness of connected medical devices. Any change to an IoMT device’s software presents a possible risk to users. The connected device landscape is still evolving quickly, and the new $1.7 trillion dollar omnibus package that passed in Dec. of 2022 gave the FDA new authority to mandate medical device security regulations. It’s essential that device developers stay on top of these changes by making compliance a part of their development strategy.
If you develop connected medical devices, connect with an expert to learn the best way to securely manage updates for your medical devices. Get in touch today to start the conversation!
