A recent interview by Medical Device Network with GlobalData medical analyst Alexandra Murdoch shares interesting insights into cybersecurity for medical devices. Murdoch said that one of the reasons why most organizations have a hard time securing their devices is the rapid adoption of new technologies, which has not been accompanied by the aggressive establishment of cyber defenses.
Over the past couple of years, healthcare facilities have not only digitized but also integrated into their regular operations a host of advanced medical devices including IoT appliances and connected wearables/implants. However, the security of these devices has been on the back burner for some time since healthcare providers and patients have focused on addressing more urgent concerns.
Now, there is hardly any excuse not to deal with cyber threats and risks forthrightly. The accelerated digitalization and use of connected devices in the healthcare field is and will always come with the possibility of encountering cyber attacks. There is a need to take advantage of all available solutions and leverages to keep threats at bay.
Even governments, which usually tend to be untimely when it comes to cybersecurity concerns, are showing proactivity in countering threats to connected digital medical devices. The United States Food and Drug Administration (FDA) has been ramping up the production of guidelines for the medical technology field. The FDA also launched a program for voluntary cybersecurity labeling for IoT and medical devices.
Additionally, several regulations now require device makers to undertake post-market surveillance for medical devices (PMS). It is not enough for product manufacturers and sellers to ensure that the medical devices they are selling are safe, effective, and secure out of the box. They also need to monitor their products as they are being used by healthcare providers and patients. There are three main regulations prescribing PMS, as described below:
- US FDA 21 CFR Part 822 – Part 822 of Title 21 of the US FDA Code of Federal Regulations requires medical device manufacturers to conduct PMS on Class II and Class III devices that are implanted in the human body for at least a year, are deemed to be life-sustaining, or to those which have malfunctioned and caused adverse effects on users.
- MedWatch – Another regulation that calls for PMS is the FDA’s medical product safety reporting program, which covers patients, healthcare providers, and buyers of medical devices. This program requires the reporting of issues and serious problems encountered during the use of such devices. This does not necessarily shift the burden of PMS to consumers, but it empowers them to ensure that device manufacturers have no excuse for failing to monitor the faults of their products.
- EU 2017/745 – More popularly known as the European Union Medical Device Regulation (MDR), this regulation compels medical device producers to submit a PMS plan alongside the technical documentation of their products. They may be required to submit a post-market surveillance report or a periodic safety update report depending on the class under which their products belong.
Data science plays an important role in different aspects of securing medical devices from cyber threats. In particular, it is useful in complying with new cybersecurity regulations aimed at connected devices used in healthcare.
Data science is applicable to post-market surveillance. In the modern context, data science entails a combination of statistics, mathematics, advanced analytics, specialized programming, as well as AI to produce insights and other useful knowledge from various data from different sources, including structured, unstructured, and noise-laden data.
In conducting PMS, device makers do not only collect reports of malfunctions, defects, security vulnerabilities, and instances of attacks. The data they gather is not only used to file reports. They can also take advantage of the massive amounts of data they collect to analyze problems and determine the right responses, come up with an efficient system to address recurrent issues, and ensure compliance with all applicable regulations.
Additionally, data science enables the analysis of patterns and anomalies to generate predictive models that can facilitate the detection of vulnerabilities and attacks. This detection can even be undertaken in real-time by leveraging big data and artificial intelligence. With this, healthcare providers, device users, and device manufacturers can get alerts regarding potential threats and respond in promptly a promptly manager. For example, nuseveralorts of infusion pump issues from users and some healthcare providers may not trigger the issuance of product alerts or recalls, but AI-powered analytics may already be picking patterns that indicate serious anomalous activities. In this case, the problem is unlikely to be ignored and will be addressed promptly before it can result in serious consequences.
Moreover, data science helps identify cases that can trigger vulnerabilities or make it easy for threat actors to find attack surfaces and operate discreetly. Correspondingly, it can aid the formulation of solutions to plug security loopholes. In the case of applying security controls, for instance, data science can help find the best points to implement user verification mechanisms such as biometric recognition and multifactor authentication.
Data science is a highly suitable complement to medical cybersecurity systems given the growing aggressiveness and sophistication of cyber attacks as well as the emergence of new regulations. It can help develop systems that bolster medical device cybersecurity not only in terms of detection but also when it comes to mitigation and prevention.
This is not exactly a novel idea. Data science has already been integrated in cybersecurity, one way or another. However, it bears emphasizing how crucial data management, analysis, and presentation is in securing devices, particularly web-enabled devices that can directly affect people’s health or lives.
There is a synergy between data science and medical device cybersecurity, and not many recognize it. Some may have taken cognizance of this connection, but they are not taking advantage of it. It is important to harness the benefits at the intersection of data science and cybersecurity especially as the use of connected medical devices grows and threats on them grow exponentially.