Medical Device Industry Update July 2023  

Key Stories 

                        • New Regulations in Both Automotive and Medical Device Industries Highlights Fascinating Connection
                        • Healthcare Data Breaches in the United States Continue to Rise at an Alarming Rate
                        • Less Than 3 Months Until FDA’s Refuse-to-Accept Policy Comes Into Effect for Medical Cyber Devices
                        • Upcoming Medical Device Events September 2023
medical device cybersecurity news

New Regulations in Both Automotive and Medical Device Industries Highlights Fascinating Connection

To an outside observer, the automotive industry and the medical device industry might seem like two worlds apart. However, the two industries are more closely connected than you’d think. Both run critical applications that are often connected to the internet. As a result, both are increasingly vulnerable to cyber attacks. If a cyber attack were to occur in either space, the lives of the end user would be put at serious risk (the driver in the case of the automotive industry and the patient in the medical device space).

These risks are not just hypothetical either. More than 39 million individuals have been impacted by healthcare data breaches in the first half of 2023 alone. In the automotive industry, cyber-attacks on cars have soared by 225% in the last three years

Another similarity is the fact that, as the connectivity of equipment in both industries increases, the risk of cyber attack increases exponentially. And, in both cases, the regulatory landscape is far behind where it needs to be but has been steadily catching up in recent years. Within both the automotive industry and the medical device industry, regulations are being put in place to strengthen the cybersecurity infrastructure. 

Even the way in which these regulatory changes are taking effect is closely aligned.  

                      • In both industries, manufacturers must document and prove their vehicle’s or medical device’s cybersecurity posture.
                      • A failure to prove such posture severely affects manufacturers’ business plans, as they are not allowed to sell their products until they remediate the security gaps.
                      • Manufacturers’ responsibility to their customer safety doesn’t stop at product release. They must keep track of new vulnerabilities throughout the product life cycle. 

This fascinating connection between these two industries is explored in more detail here

Healthcare Data Breaches in the United States Continue to Rise at an Alarming Rate 

Breaches of unsecured protected health information have affected over 42.7 million U.S. citizens thus far in 2023, according to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights. This is an increase of 50% compared to the same period last year (28.4 million people). It also surpasses the 39.9 million affected individuals in the entirety of 2021.

Although the number of reported cybersecurity breach events in 2023 has slightly declined to 338 breaches from 390 breaches in the same period in 2022, the staggering increase in affected individuals suggests that hackers are targeting larger networks, necessitating heightened vigilance and security measures. 

To counter the increasingly volatile cybersecurity threatscape, the FDA introduced new guidelines for medical device manufacturers in March 2023. These guidelines require manufacturers to submit a plan to monitor, identify, and address post-market cybersecurity vulnerabilities when applying for new pre-market authorizations. We will explore these new requirements in more detail further below. 

Read more about this story and what FDA is doing to combat the rising number of data breaches, here

Less Than 3 Months Until FDA’s Refuse-to-Accept Policy Comes Into Effect for Medical Cyber Devices

On March 29th, 2023, new legislation was signed into law which means that all medical cyber devices must now meet certain cybersecurity standards. If you are a company building a medical “cyber device”, you are now required to take the following actions when preparing premarket submissions: 

                      1. Submit a plan to monitor, identify, and address, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures; 
                      2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address— on a reasonably justified regular cycle, known unacceptable vulnerabilities; and  as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
                      3. Provide a software bill of materials (SBOM); 
                      4. Ensure compliance with other requirements that the FDA may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber secure. 

All your questions about the new cybersecurity requirements are answered here

While these laws have been in place for the past several months, the FDA has been helping medical device manufacturers to adjust to this change by working collaboratively with applicants to remedy defects in their cybersecurity documentation. 

However, from October 1st 2023 onwards, FDA will reject or ‘refuse to accept’ submissions that do not include the security measures mentioned above. There will be no collaboration or leeway. If your submission doesn’t detail the cybersecurity measures listed above, FDA will reject it on the spot. With less than three months until the refuse-to-accept policy comes into effect, medical device manufacturers must act fast. 

If you are a medical device manufacturer that is looking to adjust to new requirements, you can do so by integrating with a single software solution. Find out how here

Upcoming Medical Device Events in September 2023   

September is always an incredibly busy period in the medical device calendar. Below we’ve listed five events that are worth checking out.  

1/ BSI 12TH Annual Medical Device Roadshow, September 11-15 2023 

(Taking place in Santa Clara, Minneapolis, Boston and a Virtual Show)

“BSI hosts our 12th annual EU Medical Device Roadshow for the medical device manufacturer regulatory affairs, quality assurance and related consulting community. Join us again in person or for the virtual version of our Medical Device Roadshow exclusively focused on addressing European medical device regulatory and quality assurance requirements.

BSI will be sharing our current experiences, best practice and expectations from the perspective of the first notified body designated under the MDR (EU 2017/745). BSI The Netherlands (2797) is a leading Notified Body; we review medical devices to ensure that they conform to the requirements of the European Directives and Regulations. BSI UK (0086) is a UK Approved Body able to provide conformity assessments under the new UKCA scheme.”
 

2/ LSX USA Leaders Forum – Boston MA, Sep 13-14 2023 

“LSX World Congress USA will replicate the unique dynamics and high-quality senior audience that has become the hallmark of LSX events around the world. In September 2023, we’ll be gathering North America’s leading Biotech, Medtech and Healthtech CEOs for a 2-day executive conference, in-person 1-2-1 partnering and company showcasing opportunities.

The CEOs from our network will be joined by the sector’s most active investors, big pharma and commercial leaders as well as a selection of the highest-quality, trusted advisors. So, pack your bags, get out from behind your desks and join us in glorious Boston for some inspiring content, quality peer-to-peer discussion and high-level networking!”

3/ LSI Emerging Medtech Summit Europe 2023 –  Barcelona, Spain, Sep 18-22 2023 

“LSI Europe ‘23 is a must-attend event for innovators, investors, and strategically building the future of medical technology. This summit acts as a platform to explore and discuss the latest advancements, challenges, and trends in the industry. By attending, you’ll gain invaluable insights from industry leaders, cutting-edge startups, and influential experts.”

4/ BIOMEDevice – Boston Convention & Exhibition Center, Sep 20-21 2023 

“BIOMEDevice Boston brings engineers, business leaders, disruptive companies, and innovative thinkers from the region’s top start-ups and medical device OEMs together to inspire the next life-changing medical device. BIOMEDevice Boston is one of the medical device conferences in 2023 that you should definitely attend if you call the East Coast home. It showcases emerging technologies and trends from cutting-edge engineers, innovative thinkers, and business leaders who are impacting the progression of the world’s biotechnology.”

5/ Medical Technology Ireland Expo and Conference, Galway, Ireland, Sep 20-21 2023 

“BIOMEDevice Boston brings engineers, business leaders, disruptive companies, and innovative thinkers from the region’s top start-ups and medical device OEMs together to inspire the next life-changing medical device. BIOMEDevice Boston is one of the medical device conferences in 2023 that you should definitely attend if you call the East Coast home. It showcases emerging technologies and trends from cutting-edge engineers, innovative thinkers, and business leaders who are impacting the progression of the world’s biotechnology.”