Medical Device Industry Update January 2023  

Key Stories:  

                        • FDA Issues Roadmap to Medical Device Regulatory Guidance Topics List for 2023 
                        • Nova Leah’s Summary of the ‘Cybersecurity is Patient Safety’ Policy Options Paper 
                        • Capterra’s 2022 Medical IoT Survey – Unprotected Medical IoT Devices Threaten Patient Care 
                        • FDA Pushing for Increased Medical Device Cybersecurity Funding 
                        • Five Cybersecurity Predictions for 2023   
                        • An Introductory Guide to Threat Modeling from Nova Leah  
                        • Upcoming medical device events 
medical device cybersecurity news

FDA Issues Roadmap to Medical Device Regulatory Guidance Topics List for 2023 

In December, the FDA released a list of guidance documents it plans to issue over its 2023 fiscal year. FDA’s Center for Radiological Health (CDRH) publishes the list of planned topics each year, divided into higher priority “A-list” final and draft guidance topics, as well as a “B-list” of guidance documents to be published as agency resources allow. Finally, CDRH publishes a “Retrospective review” list of guidance documents issued in previous years that may benefit from revision.

Below are some of the ‘A-list’ of regulatory priorities that the FDA hopes to roll out in 2023.  

Final guidance topics: 

                      • Remanufacturing of medical devices 
                      • Transition plan for medical devices that fall within enforcement policies issued during the coronavirus disease 2019 (COVID-19) public health emergency 
                      • Transition plan for medical devices issued emergency use authorizations (EUAs) during the coronavirus disease (COVID-19) public health emergency 
                      • Cybersecurity in medical devices: Quality system considerations and content of premarket submissions 
                      • Content of premarket submissions for device software functions
                      • Fostering medical device improvement: FDA activities and engagement with the Voluntary Improvement Program 

Draft guidance topics: 

                      • Voluntary malfunction summary reporting (VMSR) medical device reporting (MDR) for manufacturers 
                      • Clinical considerations for medical device premarket submissions targeting opioid use disorder 
                      • Select updates for guidance for the Breakthrough Devices Program 
                      • Electronic submission template for de novo request submissions    

You can read more about the A-list, B-list as well as retrospective review lists on the FDA website 

Nova Leah’s Summary of the ‘Cybersecurity is Patient Safety’ Policy Options Paper 

Last month, Virginia Senator and Chairman of the Senate Select Committee on Intelligence, Mark Warner, released a whitepaper that details a series of potential regulatory requirements aimed at improving cybersecurity across the healthcare industry. The paper, which is titled ‘Cybersecurity is Patient Safety’, outlines current cybersecurity threats facing healthcare providers along with a series of policy solutions that would improve cybersecurity across the industry. 

Divided in three parts, the whitepaper is organized as follows:

                    • Chapter 1 covers areas that the federal government needs to address to improve our national risk posture when it comes to cybersecurity in the healthcare sector.  
                    • Chapter 2 covers ways in which the federal government can help the private sector meet this threat through a combination of potential mandates and voluntary incentives to adopt best practices. 
                    • Chapter 3 covers policies that could help healthcare providers respond to attacks in the event of a cybersecurity failure. Specifically, it notes ways institutions can recover following successful cyberattacks, and how to limit the resulting impact on patients and systems. 

At Nova Leah, we put together a summary of some of the key ideas and policies presented in this important 36-page policy options paper.

Check it out here 

Capterra’s 2022 Medical IoT Survey – Unprotected Medical IoT Devices Threaten Patient Care 

“Connected medical devices often go unmonitored for security vulnerabilities, and because they run on a wide array of software and hardware platforms, it’s difficult to monitor with a single tool. This means that many connected medical devices are left wide open to cyberattacks.” 

Zach Capers, senior security analyst at Capterra. 

The rising adoption of connected medical devices is accelerating cyberattacks. That is according to Capterra’s new Medical IoT Survey of healthcare IT professionals.  In fact, medical practices with more than 70% of their devices connected are 24% more likely to experience a cyberattack than practices with 50% or fewer connected devices.  

Below are some of the key findings from the survey.  

                    • Healthcare organizations with a higher percentage of connected medical devices suffer more cyberattacks. 
                    • Nearly half (48%) of healthcare cyberattacks impact patient care, and two in three (67%) affect patient data. 
                    • More than half (53%) of healthcare IT staff view the current cybersecurity threat landscape as high or extreme. 
                    • Less than half (43%) of practices say they always change default passwords on connected medical devices, and less than a third (32%) always update them when a patch is available. 

Read the full report on 

FDA Pushing for Increased Medical Device Cybersecurity Funding 

The FDA is pushing Congress for increased funding and support in order to address medical device cybersecurity concerns. As also referenced in the Capterra survey above, the rise in devices used by healthcare facilities over the last decade has led to a corresponding increase in vulnerabilities found.  

In September, the FBI warned that vulnerabilities in widely used medical devices are leaving hospitals and healthcare facilities exposed to attacks from nation-state hackers and ransomware gangs. The FBI specifically cited vulnerabilities found in insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps, noting that malicious hackers could take over the devices and change readings, administer drug overdoses, or “otherwise endanger patient health.”  

Five Cybersecurity Predictions for 2023   

As a new year begins, Forescout’s research team, Vedere Labs, provided some cybersecurity predictions for the year ahead. This included one that was especially relevant to the medical device industry ‘medical device cybersecurity challenges will persist’. The article cited several medical device security challenges including long lifespans, difficulty in patching and customized software/firmware.  

The report went on to mention how 2023 “could also be the year where we see attacks not only spill over to medical devices, but actually target them (potentially their insecure-by-design features as in OT), although it would require specific attacker motivation to purposefully target devices that could directly harm people.” 

The five cybersecurity predictions include: 

                        1. Ransomware groups will expand into more IoT devices and continue evolving their extortion campaigns. IP cameras and VoIP systems were cited as possible favorite targets. 
                        2. Hacking groups that appeared or became more active during the war in Ukraine will continue to act, regardless of what happens with the war. 
                        3. State-sponsored actors will continue to expand their arsenal with new sophisticated malware. 
                        4. Medical device cybersecurity challenges will persist. 
                        5. Attacks on critical infrastructure will continue to increase. 

An Introductory Guide to Threat Modeling from Nova Leah  

In the past few years, a huge emphasis has been placed on threat modeling when it comes to securing connected medical devices. The integration of threat modeling (TM) is viewed as an integral means of managing medical device and diagnostic cybersecurity risks.  

We recently put together a brief overview of threat modeling. The article includes an introduction to the concept while touching on MITRE’s playbook for threat modeling medical devices. This playbook was developed to increase knowledge of threat modeling throughout the medical device ecosystem in order to further strengthen the cybersecurity and safety of medical devices.  

In the article we also provide a simple 4-question framework for implementing threat modeling within your development cycle. You can read it in full here.  

2023 Upcoming Medical Device Events  

1/ Medical Device Software Development Summit Europe – Munich, DE Jan 24-26, 2023 
“The Medical Device Software Development Summit Europe is the response to this industry’s plea for a deep dive into the new European specific MDR regulations and current technical challenges. This summit is bringing together like-minded speakers from a range of companies across Europe, all sharing the same desire to increase the ease and success of their medical device software development ventures.” 

2/ The 7th EAAR Annual Conference on New Medical Device RegulationsBrussels, BE, Feb 2-3, 2023 

 “In this 7th edition of the conference you will have the opportunity to gain a better understanding of the new European regulations on medical devices. Additional regulations (implementing acts) of the Medical Device Regulation and new guidance are issued frequently adding to the complexity. It is important to keep up to date with the fast-evolving compliance scene.” 

3/ MD&M West, Anaheim Convention Centre, Anaheim, CA, Feb 7-9 2023 

 “MD&M West encourages innovation that results in solutions – both simple and complex – by building a community of experts, engineers, and thought leaders and bringing them together every year to engineer life-saving devices. Much more than a medical technology trade show, MD&M West exists to improve lives through continuing education, sharing knowledge, and bringing opportunities to all.” 

4/ 6th Annual European Medical Device and Diagnostic Quality Assurance & Control and Supplier Quality Management Conference  – Berlin, DE, Mar 21-22 2023 

“The 6th Annual European Medical Device and Diagnostic Quality Assurance & Control and Supplier Management Conference is Europe’s only conference dedicated to MedTech Quality Assurance, Quality Control, and Supplier Quality Management. This two-day dual-track in-person conference will unearth the best strategies for developing sustainable quality management systems, continuing to be audit-ready, and enhancing interdepartmental collaboration for improved quality management practices. With experts from leading regulatory bodies, manufacturers, and technology innovators, you will network with your peers, and access a wealth of knowledge and advice on emerging global trends, regulatory challenges, and evolving requirements for effective compliance.” 

5/ MedTech Strategist Innovation Summit Dublin 2023 – Dublin, IE, Mar 21-22 2023 

“Europe’s largest MedTech partnering and investment conference. Innovation Summit Dublin 2023 brings together innovative start-ups {that are making} positive change in the industry and leading voices in today’s MedTech world to offer insight and opportunity.”