Medical Device Industry Update December 2022  

Key Stories  

                    • MITRE Publishes Updated Medical Device Cybersecurity Incident Preparedness and Response Playbook 
                    • Virginia Senator Proposes Cybersecurity Mandates for Improving Cybersecurity Across the Healthcare Industry 
                    • Abbott Freestyle Libre 3 Review — A Discrete CGM For Diabetics 
                    • A 3-Pronged Approach to Establishing Foundational Security Requirements for Medical Devices 
                    • Upcoming Medical Device Events 
medical device cybersecurity news

MITRE Publishes Updated Medical Device Cybersecurity Incident Preparedness and Response Playbook 

In November, FDA and MITRE released an updated version of their ‘Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook’. The playbook helps healthcare organizations to prepare for security incidents involving medical devices. It includes tools, techniques, and resources that allows companies to ready themselves for cyber breaches and respond in a suitable fashion.

The playbook outlines how hospitals and other HDOs can develop a cybersecurity preparedness and response framework. It supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents. The revised version includes more explicit alignment with the Hospital Incident Command System for managing complex incidents, considerations for the widespread impacts and extended downtimes that are common during cyber incidents, and an appendix of resources.” 

The initial version of this playbook was published in 2018. Since then, cyberattacks have continued to impact the healthcare and public health (HPH) sector. MITRE said that from mid-2020 through 2021, 82% of healthcare systems reported a cyber incident, 34% of which were related to ransomware. 

Updates to the playbook include: 

                    • Emphasizing the need to have a diverse team participating in cybersecurity preparedness and response exercises. This includes clinicians, healthcare technology management professionals, IT, emergency response, risk management and facilities staff. 
                    • Highlighting considerations for widespread impacts and extended downtimes during cybersecurity incidents which benefit from the use of regional response models and partners.  
                    • Adding a resource appendix that makes it easier to find tools, references and other resources to help health care organizations prepare for and respond to medical device cybersecurity incidents. 

Virginia Senator Proposes Cybersecurity Mandates for Improving Cybersecurity Across the Healthcare Industry

In early November Virginia Senator and Chairman of the Senate Select Committee on Intelligence, Mark Warner, released a whitepaper that describes a series of potential regulatory requirements aimed at improving cybersecurity across the healthcare industry. The paper, which is titled ‘Cybersecurity is Patient Safety’, outlines current cybersecurity threats facing healthcare providers along with a series of policy solutions that would improve cybersecurity across the industry. 

The paper states that cybersecurity can no longer be treated as a secondary concern and must become incorporated into every organization’s core business model.  

Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate. The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities,” wrote Sen. Warner. 

Divided in three parts, the whitepaper is organized as follows: 

                    • Chapter 1 covers areas that the federal government needs to address to improve our national risk posture when it comes to cybersecurity in the healthcare sector.  
                    • Chapter 2 covers ways in which the federal government can help the private sector meet this threat through a combination of potential mandates and voluntary incentives to adopt best practices. 
                    • Chapter 3 covers policies that could help healthcare providers respond to attacks in the event of a cybersecurity failure. Specifically, it notes ways institutions can recover following successful cyberattacks, and how to limit the resulting impact on patients and systems. 

 A full copy of the paper can be found here 

Abbott Freestyle Libre 3 Review — A Discrete CGM For Diabetics 

In our monthly medical device industry updates, we like to highlight some of the ways in which technology is being used in patient safety and healthcare. In past editions, we’ve highlighted such innovations as an Alexa-based device that was developed for people with dementia and how Metaverse-based training is firmly on the horizon for medical students. 

This month, we were fascinated by a product review from CNBC’s Erin Black, a type 1 diabetic, who tested out the Abbott FreeStyle Libre 3 for over a month. The FreeStyle Libre 3 is a continuous glucose monitor (CGM) and was promoted as the world’s smallest, thinnest, and most accurate 14-day CGM system. 

The FreeStyle Libre 3 has received the CE mark for people with diabetes in Europe. The FreeStyle Libre 3 was also approved by the FDA in May 2022 and is a step up from previous Abbott systems. Abbott Laboratories and Dexcom are the leaders in the CGM market, which hit $5.1 billion in revenue in 2021 and is expected to reach $13.2 billion by 2028, according to Vantage Market Research. Abbott’s CGM systems, called FreeStyle Libre, generated $3.7 billion in revenue last year, with 4 million users globally. 

A 3-Pronged Approach to Establishing Foundational Security Requirements for Medical Devices 

This month we published an article to our blog that is well worth checking out – Medical Device Security: A 3-Pronged Approach to Establishing Foundational Requirements. This is one of our most important, and most valuable, posts to date and should prove incredibly useful for medical device manufacturers that are deciding what security features and capabilities they need to consider.   

In the blog post, we look at how two standards (IEC/TR 80001-2-2 and IEC/TR 80001-2-8) can be used in tandem with the MDS2 form to inform the software development lifecycle. This approach can be broken into three key parts — establish, implement and communicate.  

                    • Establish:  IEC/TR 80001-2-2 Application of risk management for IT-networks incorporating medical devices—Part 2-2: Guidance for communications of medical device security needs, risks, and controls. This standard can be used to establish what security capabilities you need.   
                    • Implement: IEC/TR 80001-2-8 Application of risk management for IT-networks incorporating medical devices Part 2-8: Application guidance — Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2. Once you have established what security capabilities you need, this standard can be used to show you how you can actually implement those features.   
                    • Communicate: When you have completed implementation, the MDS2 form can be used to communicate your medical device’s security capabilities to buyers/healthcare delivery organizations.    

 Check out the article in full here.

Upcoming Medical Device Events  

1/ Healthcare Cybersecurity Forum – Boston, MA, Dec 5-6  

 “The HIMSS 2022 Healthcare Cybersecurity Forum will explore how the industry is protecting itself today and how it must evolve for the future. As healthcare cybersecurity professionals adapt to new threats, you also must remain focused on safeguarding patients, defending against attackers, and delivering business value.” 

2/ Medical Wearables 2022 – Online, Dec 6-8 

 “What are the next-generation medical wearable technologies? What are the most promising use cases and applications? What are the main challenges right now? What’s on the roadmap of the leading companies and R&D groups? These are the key questions that will drive the discussion at this annual conference. The future is bright for medical wearables — we invite you to attend this conference to identify emerging technology and application trends, exchange ideas, form new companies, and network with your industry peers!” 

3/ Medical Device Software Development Summit Europe – Munich, DE Jan 24-26, 2023 

“The Medical Device Software Development Summit Europe is the response to this industry’s plea for a deep dive into the new European specific MDR regulations and current technical challenges. This summit is bringing together like-minded speakers from a range of companies across Europe, all sharing the same desire to increase the ease and success of their medical device software development ventures.” 

4/ The 7th EAAR Annual Conference on New Medical Device RegulationsBrussels, BE, Feb 2-3

“In this 7th edition of the conference you will have the opportunity to gain a better understanding of the new European regulations on medical devices. Additional regulations (implementing acts) of the Medical Device Regulation and new guidance are issued frequently adding to the complexity. It is important to keep up-to-date with the fast-evolving compliance scene.”