Medical Device Industry Update February 2023  

Key Stories:  

Five Cybersecurity Healthcare Executives Makes Their Predictions for 2023

$1.7 Trillion Omnibus Spending Bill a Game Changer for Strengthening Medical Device Supply Chains

Diabetes Technology Reveals a Lot About the Benefits and Risks of Personal Medicine Connected to the Internet

With Attacks on Medical Devices on the Rise, Scholars Examine Regulatory Challenges and Solutions

7 Upcoming Medical Device Events in 2023

medical device cybersecurity news

Five Cybersecurity Healthcare Executives Makes Their Predictions for 2023 

Last month, we provided a list of five cybersecurity predictions that Forescout’s research team, Vedere Labs, made for 2023. The wide-ranging list included the following predictions:   

                      1. Ransomware groups will expand into more IoT devices and continue evolving their extortion campaigns. IP cameras and VoIP systems were cited as possible favorite targets. 
                      2. Hacking groups that appeared or became more active during the war in Ukraine will continue to act, regardless of what happens with the war.  
                      3. State-sponsored actors will continue to expand their arsenal with new sophisticated malware.  
                      4. Medical device cybersecurity challenges will persist.
                      5. Attacks on critical infrastructure will continue to increase. 

This month, we were fascinated to hear from five top cybersecurity executives, who had their own predictions for the year ahead. Below is a breakdown of what each of them had to say: 

                      1. Irfan Shakeel, VP of Training and Certification Services, OPSWAT believes that cyberattacks on the healthcare industry will continue to increase in the coming year. Global cyberattacks in rose by 38% in 2022 according to Check Point Research and, with healthcare being such a lucrative target for cybercriminals, Shakeel expects the trend to continue. According to IBM, healthcare breaches cost the most at $9.23 million per incident.  Shakeel concluded by giving the following piece of advice – “with healthcare staff generally unaware of the extent of cyber risks and best practices, educating them is of vital importance to protect the healthcare industry from cyberattacks.” 
                      2. Global Head of Medical Device Security at UL Solutions, Anura Fernando continues in this vein by suggesting that “when we look back on 2023, healthcare will be the most attacked sector in the global economy.” Statista research revealed that the healthcare industry was the second-most attacked industry vertical from November 2020 to October 2021, trailing only financial services. But Fernando believes that, as more health systems adopt connect medical devices, attacks on the medical technology will grow even further.  
                      3. George Prichici, VP Products, OPSWAT also suggested that cybercriminals will target the healthcare industry and that it could lead to fatalities. Prichici then went on to underscore the fact that ‘zero-trust is so important for healthcare, as well as having a solid response plan in place for recovery/backup (similar to generators for a power outage), so that operations don’t get stopped mid-way‘. 
                      4. Jennifer Conner, Sr. Director of Pharma/Healthcare, Icertis believes that, given cybersecurity concerns and heightened awareness of patient data protection, the healthcare industry must focus on rebuilding trust with patients. In her opinion, organizations need solutions that are both ultra-secure and give patients confidence  
                      5. Chief Risk Officer of SVP Professional Services at Clearwater, Jon Moore once again highlighted the increasingly sophisticated threatscape. He then went on to urge healthcare organizations to “understand that defending against these increasing threats requires adopting a mindset of continuous risk management.” He also spoke of the need for healthcare organizations to adopt more dynamic approaches to cybersecurity. 

$1.7 Trillion Omnibus Spending Bill a Game Changer for Strengthening Medical Device Supply Chains

At the end of 2022, US President Joe Biden signed a $1.7 trillion omnibus spending bill that funds the federal government through the end of the currency fiscal year (September 2023). Within this bill (known as the Consolidated Appropriations Act, 2023), the FDA received a total of $3.5 billion in discretionary funding, an increase of $226 million above the 2022 fiscal year enacted level. This funding will go towards addressing medical device supply chain issues and cybersecurity of medical devices amongst a handful of other named objectives.

The Consolidated Appropriations Act, 2023 was passed by Congress on December 23, 2022 and signed into law by President Biden on December 29, 2022. The bill includes long-awaited authorization for the Food and Drug Administration (FDA) to establish cybersecurity requirements for manufacturers of connected medical devices.

Since 2014, the FDA has been releasing non-binding guidance and recommendations on the cybersecurity of medical devices. However, this new legislation formally empowers the FDA to ensure that medical devices meet minimum cybersecurity requirements. This move represents a significant milestone in the ongoing quest to strengthen medical device supply chains and the nation’s medical device cybersecurity infrastructure.

To learn more about this, check out this article on our website. 

What is a 510(k)?

Diabetes Technology Reveals a Lot About the Benefits and Risks of Personal Medicine Connected to the Internet 

Many people in the medical device industry will be aware of a landmark talk given by Jay Radcliffe over ten years ago. At the Black Hat USA security conference in 2011, Jay Radcliffe, a security researcher with type 1 diabetes, demonstrated that he, or an attacker within a few feet, could remotely tamper with the insulin dosages administered by his insulin pump, as the device used no means of authentication or encryption. Later that year, at the Hacker Halted conference, researcher Barnaby Jack showed that he could take control of multiple insulin pumps within 300 feet and deliver a fatal dosage of insulin.  

Diabetes technology was, once again, put under the microscope this month to demonstrate the threats that exist to connected medical devices. About one out of every 10 Americans, or 37 million people, are living with diabetes. Now devices such as insulin pumps, which go back decades, and continuous glucose monitors, which monitor blood sugar levels 24/7, are increasingly connected to smartphones via Bluetooth.  

This technology allows patients to keep a much tighter control over their blood sugars and insulin dosing data. However, the ability to monitor medical conditions over the internet comes with risks, including nefarious hacking. The FDA has issued periodic warnings about the vulnerability of medical devices such as insulin pumps to hackers, and product makers have issued recalls related to vulnerabilities. 

Industry security experts categorize cybersecurity risks of medical devices into three buckets. This includes the risk to patient data, to the device itself and between devices and internet network. Lawmakers and healthcare leaders have been pushing for more guidance and regulations around medical device security. You can learn more about this story on CNBC. 

In the article, an FDA spokesperson told CNBC that the new cybersecurity provisions in the omnibus bill (mentioned above) represent a significant step forward in FDA’s oversight of cybersecurity as part of a medical device’s safety and effectiveness. Among the provisions, manufacturers will have to put plans and processes in place to disclose vulnerabilities. Device manufacturers will also have to provide updates and security patches to devices and related systems for “critical vulnerabilities that present uncontrolled risk,” in a timely manner. 

With Attacks on Medical Devices on the Rise, Scholars Examine Regulatory Challenges and Solutions 

A series of articles have shone a light on the regulatory challenges faced by the medical device industry. In a recent edition of ‘Saturday Seminar’ on the Regulatory Review, a number of scholars evaluated the regulatory landscape of cybersecurity for medical devices.  

Below are some of the key takeaways with links to the articles: 
 

                      1. FDA should establish a cost-benefit framework to evaluate the need for additional cybersecurity features in cyber-physical medical devices, according to Christopher S. Yoo and Bethany Lee in a recent University of Pennsylvania Carey Law School Institute for Law and Economics research paper. The pair state that cyber-physical devices defy FDA’s traditional approach to regulating safety and effectiveness. Unlike purely software or hardware devices, cyber-physical devices interact with signals from both networked devices and the physical environment. This creates an unpredictable and unbounded environment. 
                      2. In an article in the Hastings Science and Technology Law Journal, Kenny E. Gutierrez, a former fellow at the Electronic Frontier Foundation, discusses the privacy and cybersecurity concerns in the mobile health application and digital wearables industry. Gutierrez acknowledges that the data collection capabilities of health apps and wearables are on the forefront of precision medicine. But after surveying the United States’ sectoral privacy laws, Gutierrez argues that the industry needs a better regulatory framework as privacy and cybersecurity issues amass for users who store private medical information on these easily compromised devices. 
                      3. In an article published in the Colorado Technology Law Journal, Allee Johnson, a data privacy consultant at Ernst & Young argued that FDA has failed to protect the public from cyberattacks. Johnson suggests that FDA should create a safe harbor system using its current voluntary guidelines on maintaining medical devices. 
                      4. In a recent article in Health Policy and Technology, Nicole M. Thomasian and Eli Y. Adashi from the Warren Alpert Medical School of Brown University argue that the medical field must keep cybersecurity concerns as a high priority. Thomasian and Adashi define the major risks of cyberattacks of medical devices to include a loss of confidentiality of user information, corruption of device functionality or data, and diminished availability of the device to the user. 

7 Upcoming Medical Device Events in 2023 

1/ The 7th EAAR Annual Conference on New Medical Device RegulationsBrussels, Belgium, Feb 2-3, 2023 

“In this 7th edition of the conference you will have the opportunity to gain a better understanding of the new European regulations on medical devices. Additional regulations (implementing acts) of the Medical Device Regulation and new guidance are issued frequently adding to the complexity. It is important to keep up to date with the fast-evolving compliance scene.”

2/ MD&M West, Anaheim Convention Centre, Anaheim, California, Feb 7-9 2023 

“MD&M West encourages innovation that results in solutions – both simple and complex – by building a community of experts, engineers, and thought leaders and bringing them together every year to engineer life-saving devices. Much more than a medical technology trade show, MD&M West exists to improve lives through continuing education, sharing knowledge, and bringing opportunities to all.” 

3/ 6th Annual European Medical Device and Diagnostic Quality Assurance & Control and Supplier Quality Management Conference  – Berlin, Germany, Mar 21-22 2023 

“The 6th Annual European Medical Device and Diagnostic Quality Assurance & Control and Supplier Management Conference is Europe’s only conference dedicated to MedTech Quality Assurance, Quality Control, and Supplier Quality Management. This two-day dual-track in-person conference will unearth the best strategies for developing sustainable quality management systems, continuing to be audit-ready, and enhancing interdepartmental collaboration for improved quality management practices. With experts from leading regulatory bodies, manufacturers, and technology innovators, you will network with your peers, and access a wealth of knowledge and advice on emerging global trends, regulatory challenges, and evolving requirements for effective compliance.”

4/ MedTech Strategist Innovation Summit Dublin 2023 – Dublin, Ireland, Mar 21-22 2023 

“Europe’s largest MedTech partnering and investment conference. Innovation Summit Dublin 2023 brings together innovative start-ups {that are making} positive change in the industry and leading voices in today’s MedTech world to offer insight and opportunity.” 

5/ HIMSS21 Conference – Chicago, Illinois, April 17-21 2023 

“HIMSS21 is expected to be one of the largest medical device conferences in 2023. The Healthcare Information and Management Systems Society (HIMSS) organizes it annually to bring together information and technology professionals, healthcare executives and clinicians, consultants, entrepreneurs, and market suppliers from around the world. Exceptional education, world-class speakers, cutting-edge products, and powerful networking are all hallmarks of this industry-leading conference.” 

6/  MedtecLIVE with T4M – Nuremberg, Germany, May 23-25 2023 

“MedtecLIVE with T4M is where product developers and purchasing managers from distributors and OEMs come together with the leading suppliers of medical technology in Europe. The event alternates between the two most important medical technology regions in Germany and covers the entire supply chain. It is Europe’s leading trade fair for biomedical engineering and an important event for decision-makers in the medical technology industry.” 

7/ BIOMEDevice – Boston Convention & Exhibition Center, September 20-21 2023 

“BIOMEDevice Boston brings engineers, business leaders, disruptive companies, and innovative thinkers from the region’s top start-ups and medical device OEMs together to inspire the next life-changing medical device. BIOMEDevice Boston is one of the medical device conferences in 2023 that you should definitely attend if you call the East Coast home. It showcases emerging technologies and trends from cutting-edge engineers, innovative thinkers, and business leaders who are impacting the progression of the world’s biotechnology.”