Medical Device Industry Update March 2023  

Key Stories 

                  • Nova Leah to Launch New Product at HIMSS Conference 2023 
                  • How New Cybersecurity Regulations Are Shaping the Medical Device Industry 
                  • The Impact That the Biden-⁠Harris Administration’s National Cybersecurity Strategy Will Have on Healthcare 
                  • HSCC Launches New ‘Managing Legacy Technology Security’ Guide Aimed at Healthcare Providers and Medical Device Manufacturers 
                  • Download Nova Leah’s FREE 7-Step Premarket Risk Management Checklist 
                  • Upcoming Medical Device Events 2023    
medical device cybersecurity news

Nova Leah to Launch New Product at HIMSS Conference 2023 

Nova Leah will be in Chicago from the 17th to the 21st of April where we’ll be presenting our range of products and discussing all things cybersecurity, risk management and supply chain management at HIMSS21. Nova Leah will be showcasing in the Cybersecurity Command Center at Booth 4318 (full details here). We will also be launching a brand new product, SelectEvaluate®, which we are incredibly excited about.   

SelectEvaluate® is designed to better connect medical device manufacturers and healthcare delivery organizations. For medical device manufacturers it provides a single location where you can market your connected technologies, respond to security questionnaires, and communicate with buyers and potential customers. For healthcare providers, SelectEvaluate® streamlines the process of identifying and evaluating connected medical devices, providing continuous oversight of the security posture of medical devices. 

For medical device manufacturers: 

                    • Upload MDS2s and auto complete HDO questionnaires. 
                    • Monitor SBOMs. 
                    • Facilitate advisory communication. 
                    • Facilitate Coordinated Vulnerability Disclosure. 

For healthcare providers: 

                    • Immediate access to medical technologies information. 
                    • Build questionnaires for a global repository.  
                    • Evaluate and score responses to questions. 
                    • Receive real time updates to MDM vulnerability analysis. 

To mark the launch, Nova Leah Technical Lead, Melvyn Walker, will be giving a talk on ‘Reinventing the Cybersecurity Supply Chain for Connected Medical Technologies’ on Tuesday morning, April 18th at 10:15am. Full details including exact location and talk summary can be found here.   

HIMSS21 is expected to be one of the largest medical device conferences in 2023. The Healthcare Information and Management Systems Society (HIMSS) organizes it annually to bring together information and technology professionals, healthcare executives and clinicians, consultants, entrepreneurs, and market suppliers from around the world.  

How New Cybersecurity Regulations Are Shaping the Medical Device Industry 

The healthcare industry and, as a result, the medical device industry is regarded as being a critical infrastructure. According to the NIST, Critical Infrastructure is a “system and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”  

Note: The European Commission has a similar definition related to critical infrastructure. “Critical infrastructure is an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behavior, may have a significant negative impact for the security of the EU and the well-being of its citizens.” 

It is no wonder then that such emphasis is being placed on improving medical device regulations. This month, popular technology news platform, Hackread, published an article that is well worth checking out. It provided a “rundown of the impact of new cybersecurity regulations as they are applied to the medical device industry.” The article explains what is being done around the world to improve medical device cybersecurity.  

This included: 

                      • Expanded FDA authority: “The passage of the United States 2023 Omnibus Bill comes with the expansion of the US Food and Drug Administration’s authority over medical device security. This expanded authority gives the FDA the power to set cybersecurity requirements for medical devices and requires all device manufacturers to demonstrate that their products meet these requirements.” 
                      • CISA’s push for secure-by-design policy: “The Cybersecurity and Infrastructure Security Agency (CISA) of the United States is pushing for the adoption of “secure-by-design” and “secure-by-default” policies among technology manufacturers, which include advanced medical device makers.” 
                      • EU Medical Device Regulation: The article takes a closer look at regulations being introduced in Europe to “to ensure that all medical devices imported into the EU are of high quality and guaranteed safety.” Nova Leah has spoken in great detail about this topic in the past. Learn more here. 
                      • Japan’s MHLW guidelines: “Japan has been at the forefront of medical device cybersecurity regulations in Asia. The country’s Ministry of Health, Labour, and Welfare (MHLW) announced in 2020 new guidelines regarding medical device security. These guidelines require medical device manufacturers to implement a cybersecurity management system and conduct regular risk assessments. They also ask manufacturers to provide information on the security of medical devices to healthcare providers and patients. 

  You can read the article in full here 

The Impact That the Biden-⁠Harris Administration’s National Cybersecurity Strategy Will Have on Healthcare Cybersecurity 

On March the 2nd, the Biden-Harris Administration released its much anticipated National Cybersecurity Strategy, defining the government’s approach to cybersecurity. You can read the strategy in full here, or you can take a look at this fact sheet provided by the White House Briefing Room. 

The National Cybersecurity Strategy focuses on five key pillars: 

                      1. Defend Critical Infrastructure 
                      2. Disrupt and Dismantle Threat Actors
                      3. Shape Market Forces to Drive Security and Resilience
                      4. Invest in a Resilient Future
                      5. Forge International Partnerships to Pursue Shared Goals 

Each pillar has significant implications for critical infrastructure entities which, as mentioned above, include those in the healthcare sector. When it comes to critical infrastructure some of the key directives include: 

                      • “Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance”; 
                      • “Enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services”; 
                      • “Defending and modernizing Federal networks and updating Federal incident response policy”; 
                      • “Using federal grants and other incentives to make investments in critical infrastructure cybersecurity effort”; 
                      • “Investing in federal cybersecurity research and development in areas such as AI, cloud infrastructure, telecommunications and data analytics used in critical infrastructure”. 

The National Cybersecurity Strategy has been met with widespread support across the political spectrum. If the policies are taken into law, it could fundamentally change how healthcare organizations receive support from Federal entities and how the organizations themselves overcome today’s most complicated cybersecurity challenges. 

HSCC Launches New ‘Managing Legacy Technology Security’ Guide Aimed at Healthcare Providers and Medical Device Manufacturers 

On the same day that the Biden-Harris Administration released its much-anticipated National Cybersecurity Strategy, the Healthcare and Public Health Sector Coordinating Council (HSCC) and Cybersecurity Working Group (CWG) launched a new guide centered around aging legacy systems. The strategy guide ‘Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS) recommends cybersecurity strategies that manufacturers and health providers can implement for legacy medical technology.  

The guide outlines some of the best practices and recommendations for medical device manufacturers, healthcare providers and other technology providers whose products are used in healthcare environments. 

This document details four “core” practices that effective legacy technology cybersecurity programs should incorporate: 

                      1. Governance: “Governance of medical technologies across design, development, production, deployment, and utilization are critical to monitoring and sustaining their performance, safety, and security. Governance determines how organizations identify, protect, detect, respond, and recover from cyber incidents.” 
                      2. Communication: “In a successful cybersecurity program, successfully managing cybersecurity risk requires robust, ongoing, and comprehensive communications between stakeholders. To ensure this occurs, the policies and procedures for ongoing communications between stakeholders need to be identified upfront (i.e., at technology procurement) and supported during the lifecycle of the technology.” 
                      3. Risk management: “Performing cybersecurity risk management for legacy technologies presents three main challenges: 1) the volume of current legacy technologies to assess, 2) the lack of information available on their security controls, and 3) the risks associated with “future” legacy technologies that must be appropriately managed, and actions that should be taken to ensure that these technologies do not become legacy unexpectedly.” 
                      4. Futureproofing. “The reality of continued technical advancements in the delivery of care, and in the simultaneous evolution of cyber threats, means that all technologies will one day be “legacy.” Because all technologies age, all technologies will eventually become “legacy” and organizations must act accordingly.  

The guide can be viewed in full here.  

Download Nova Leah’s FREE 7-Step Premarket Risk Management Checklist 

In 2022, FDA published an overhauled draft guidance on medical device cybersecurity for preparing premarket submissions. Most experts agree that, if followed, this new draft guidance will fundamentally improve device security and patient safety. When finalized, this draft guidance document will supersede the 2014 version, and many in the medical device community are expecting this guidance document to be mandated very soon.   

The new draft guidance is a massive step up from previous iterations and means that organizations have to alter current processes, practices and ways in which they approach risk management. Nova Leah has spoken to a lot of medical device manufacturers and industry personnel in recent months, both online and at in-person events. When it comes to premarket submissions, two of the main questions we get are: 

                      • What has changed? 
                      • What exactly do we now need to include in our premarket submissions? 

That is why we put together Nova Leah’s 7-Step Premarket Risk Management Checklist which outlines, in simple English, what medical device manufacturers need to include in their premarket submissions.

You can download the FREE checklist here 

Upcoming Medical Device Events 2023    

1/ 6th Annual European Medical Device and Diagnostic Quality Assurance & Control and Supplier Quality Management Conference  – Berlin, Germany, Mar 21-22, 2023  

“The 6th Annual European Medical Device and Diagnostic Quality Assurance & Control and Supplier Management Conference is Europe’s only conference dedicated to MedTech Quality Assurance, Quality Control, and Supplier Quality Management. This two-day dual-track in-person conference will unearth the best strategies for developing sustainable quality management systems, continuing to be audit-ready, and enhancing interdepartmental collaboration for improved quality management practices. With experts from leading regulatory bodies, manufacturers, and technology innovators, you will network with your peers, and access a wealth of knowledge and advice on emerging global trends, regulatory challenges, and evolving requirements for effective compliance.”  

2/ MedTech Strategist Innovation Summit Dublin 2023 – Dublin, Ireland, Mar 21-22, 2023  

“Europe’s largest MedTech partnering and investment conference. Innovation Summit Dublin 2023 brings together innovative start-ups {that are making} positive change in the industry and leading voices in today’s MedTech world to offer insight and opportunity.”  

3/ ViVE 2023, – Nashville, TN March 26-29, 2023 

“Taking place over the course of 4 days in Nashville, ViVE will convene senior and executive leaders in the digital healthcare space and provide an enjoyable engagement environment to drive growth opportunities through curated connections, personalized attendee journeys, and progressive programming.” 

4/ HIMSS21 Conference – Chicago, Illinois, April 17-21, 2023 

 “HIMSS21 is expected to be one of the largest medical device conferences in 2023. The Healthcare Information and Management Systems Society (HIMSS) organizes it annually to bring together information and technology professionals, healthcare executives and clinicians, consultants, entrepreneurs, and market suppliers from around the world. Exceptional education, world-class speakers, cutting-edge products, and powerful networking are all hallmarks of this industry-leading conference.”  

5/ DeviceTalks Boston – Boston, MA, May 10-11, 2023 

“Spend two days with the innovators, engineers and executives who are creating life-saving medical devices in an increasingly challenging time. DeviceTalks invites the leading Orthopedics, Cardiovascular, Image-guided Devices, Surgical Robotics, Neurology and other companies to share their knowledge in each of these sessions.” 

6/ MedtecLIVE with T4M – Nuremberg, Germany, May 23-25, 2023  

“MedtecLIVE with T4M is where product developers and purchasing managers from distributors and OEMs come together with the leading suppliers of medical technology in Europe. The event alternates between the two most important medical technology regions in Germany and covers the entire supply chain. It is Europe’s leading trade fair for biomedical engineering and an important event for decision-makers in the medical technology industry.” 

7/ BIOMEDevice – Boston Convention & Exhibition Center, September 20-21, 2023  

“BIOMEDevice Boston brings engineers, business leaders, disruptive companies, and innovative thinkers from the region’s top start-ups and medical device OEMs together to inspire the next life-changing medical device. BIOMEDevice Boston is one of the medical device conferences in 2023 that you should definitely attend if you call the East Coast home. It showcases emerging technologies and trends from cutting-edge engineers, innovative thinkers, and business leaders who are impacting the progression of the world’s biotechnology.”