The United States recently passed a law that compels all medical device makers selling their web-connected products in the US to obtain pre-market approval before they can start selling. Also, this law requires manufacturers to prove that they have plans for post-market surveillance, including the monitoring, updating, and remediation of their devices if security issues arise.
A vast majority of consumers likely have no contentions against this law. However, some would say that this is bordering on government overreach, arguing that a capitalist system has its “natural” ways of vetting out unsafe or insecure products. The presumption is that device makers understand that consumers want secure products, so they will logically ensure that their products are secure to win customers, lest they lose out to competitors.
Rationalizing post-market medical device security
There are many compelling reasons for organizations to aspire for reliable cybersecurity, and most organizations acknowledge the need for effective cyber protection. A survey by Red Hat reveals that security is now the top priority for IT funding. A Cisco report also says that 96 percent of business executives regard cybersecurity resilience as the top priority. However, the organizations surveyed here are most likely not medical device manufacturers, or only an insignificant few are. Those that happen to be medical device makers are likely saying that they want to prioritize cybersecurity but not necessarily in terms of providing post market surveillance (PMS) for the products they offer.
It’s one thing to seek to be cyber secure as an organization. It’s another to voluntarily ensure medical device security after the device has already been sold. This is not to say that medical device manufacturers have nary a care of their customers’ security. Rather, there are limitations and challenges in implementing cybersecurity systems on connected devices, especially if they are being deployed en masse.
The upside in all of these, however, is that post-market surveillance for medical devices does not have to be costly and overly complex. Device makers that have been averse to the idea of PMS for their products can take advantage of post-market surveillance solutions capable of monitoring low-resource devices and providing deterministic security through runtime application protection.
In other words, post-market medical device security is vital and there shouldn’t be many obstacles in achieving it, given the availability of PMS security solutions that can work even in low-resource legacy devices.
Are regulations requiring medical device PMS necessary?
If organizations acknowledge the importance of PMS and it is not that difficult to do post-market surveillance for medical devices because of modern security solutions, is there any need for laws to mandate it?
Before answering this question, here’s a look at some of the major laws and regulations that require medical device makers to conduct post-market surveillance or have plans for it.
- US FDA 21 Code of Federal Regulations Part 822 – The US Food and Drug Administration requires PMS plans for Class II and Class III devices, which are usually implanted in the body to support or sustain biological functions. These include infusion pumps, pacemakers, and other intermediate and high-risk devices. To emphasize, device makers are not required to always conduct PMS for all their Class II and III devices. They only need to submit a plan, which should be executed immediately in response to reports of safety and efficacy problems or according to the PMS orders issued by the FDA.
- MedWatch Product Safety Reporting Program – This program of the FDA is supplemental to Part 822 of the US FDA 21 Code of Federal Regulations. It is a program that requires healthcare professionals, patients, and medical product consumers to report product safety concerns. Thus, it can trigger the issuance of a PMS order by the FDA.
- EU Medical Device Regulation – The European Union’s Medical Device Regulation (MDR) is a set of mandates, rules, and guidelines for the sale and clinical investigation of human-grade medical devices. It includes a provision requiring device makers to submit a PMS plan as a component of the technical documentation of their products.
A bit stricter than FDA’s CFR Part 822, MDR requires manufacturers to submit a PMS report or a periodic safety update report depending on the class of the device they sell. The PMS report is a requirement for Class I or low-risk devices and Class A and B devices under the In-Vitro Diagnostic Regulation (IVDR). Meanwhile, a periodic safety update report is required for Class IIa, Class IIb, and Class III devices. These are medium-risk, medium to high-risk, and high-risk devices. The periodic report is also compulsory for Class C devices under IVDR.
These regulations appear highly sensible. They are designed to ensure medical device security and safety without being too onerous or burdensome for manufacturers. However, are they really necessary? Unfortunately, it is unlikely for device manufacturers to be consistent with their cybersecurity measures sans the regulations, and for consumers to prefer to pay a premium for device security.
One study shows that consumers are willing to pay more for brands they trust, but how exactly do patients or medical device users decide which brands are trustworthy? Medical devices are unlike regular consumer goods with which consumers accumulate experience and build trust. In most cases, they only rely on their healthcare providers’ recommendations, which are not guaranteed to be impartial.
The added costs of PMS
The benefits of PMS for medical devices are arguably priceless. It is difficult to put a price on the lives saved or inconveniences avoided by having properly secured medical devices. However, it is possible to come up with price estimates for the added costs.
On average, PMS is around two to three percent of a device maker’s annual revenue. It can go higher than ten percent for high-risk devices and with the costs of software development, product modifications, and additional personnel training and marketing adjustments taken into account. These costs are ultimately passed on to consumers, which means inflating the prices of medical devices.
Medical device manufacturers are trying to avoid these costs and consumers naturally want device prices to be lower. However, it is difficult to ignore the costs of cyber threats. In 2019, the FDA issued an alert on potential security vulnerabilities in some insulin pump models produced by Medtronic. It was good that the defect was detected early. This resulted in a costly recall for Medtronic, but it also saved countless lives.
The FDA and other government agencies are expected to be vigilant in tracking down medical device issues. However, they cannot be expected to be in full control of everything. The responsibilities (for device manufacturers, healthcare providers, and device users) laid out in the regulations cited above significantly help government regulators address medical device problems faster and more effectively.
It would be difficult to debate against the necessity of medical device security regulation. The biggest possible argument against it is the additional cost or device price increase, but this is in exchange for the significant reduction of the risk that medical devices are exposed to cyber attacks that result in seriously adverse consequences or possible death.