By Steven Darroch, Senior Manager, and Nick Sikorski, Manager, Deloitte & Touche LLP
This week's blog, by Steven Darroch and Nick Sikorski from the US firm, first appeared on the US Center for Health Solutions blog site. The blog follows on from our report Medtech and the Internet of Medical Things: How connected medical devices are transforming health care and a public workshop held by the FDA, and explores the importance of medical device safety and how to mitigate operational, commercial and regulatory risks.
An ever-expanding list of medical devices are able to generate, collect, analyze, and transmit data, creating the Internet of Medical Things (IoMT)—a connected infrastructure of health systems and services. As connected devices have become more common, the ability to protect digital information has become essential. Manufacturers that have a solid risk-management strategy could gain a competitive advantage.
By 2022, the IoMT market is expected to top $158 billion.1 Medical device manufacturers estimate that almost half (48 percent) of their products are data-generating connected medical devices. Over the next five years, they expect that percentage will jump to 68 percent, according to a 2018 report from Deloitte that explored connected medical devices.
Notable progress is being made when it comes to safeguarding connected medical devices and the data they contain. Regulators, manufacturers, and health care delivery organizations (HDOs) have all had a seat at the table, and they have provided valuable input and solutions. As a result, organizations are better armed to more effectively manage the risks (and reap the benefits) in this rapidly evolving space.
Early this year, the US Food and Drug Administration (FDA) Center for Radiological Health (CDRH) held a two-day public workshop to review an updated draft of its Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (pre-market guidance), which the agency released in October 2018.2 The draft guidance provided the industry with updated recommendations on cybersecurity for device design, labeling, and documentation that the FDA recommends including in premarket submissions for medical devices with cybersecurity risk.
Deloitte practitioners joined several hundred other participants in Maryland to meet with the FDA, medical device manufacturers, health systems, and cybersecurity specialists and researchers on the future of medical device security. The FDA Commissioner kicked off the workshop by outlining three core focus areas the agency considers essential for medical device cybersecurity: trustworthiness, transparency, and resilience. Plenaries, panels, and breakout sessions explored a wide range of topics and provided input on FDA’s draft guidance.
Participants represented various industries across the globe. Many of the topics discussed revolved around patient safety. There were debates on the semantics of trustworthiness, and detailed discussions on threat modeling, vulnerability scoring, and the development, use, and maintenance of a cybersecurity bill-of-materials (a manufacturing term for the pieces and parts used to build a product). It was clear from the meeting that risk fuels performance—meaning that taking the appropriate risks at the appropriate time can have highly positive results in securing medical devices. Understanding those risks, prioritizing them, and managing them effectively requires detailed knowledge across operational domains. Additionally, device manufacturers need to strike the appropriate balance—applying the right level of security control to products while remaining operationally efficient.
The three risk categories for connected medical devices
When it comes to patient safety, we see three main risk categories for connected medical devices: regulatory, commercial, and operational. Understanding the risks in these three areas—and linking their relevance to each person—is critical to providing safe patient care while protecting the privacy of related records:
- Operational risk: A medical device cybersecurity incident can impact clinical operations and have patient-safety implications. The industry now includes cybersecurity (e.g., a patient being diverted due to unavailable medical devices) in its view of what can impact patient safety. Organizations must manage the risks effectively and efficiently.
- Commercial risk: A medical device manufacturer might not be able to effectively market its products or services if a competitor’s products or services are more secure and therefore safer for use with patients. Brand reputation is an important consideration when health systems make product decisions, and there could be a significant concern for what could go wrong commercially.
- Regulatory risk: This can occur when an organization cannot or does not comply with relevant regulatory standards for established and emerging products. The FDA is focused on ensuring safe and secure products for patient use. Other relevant bodies include the European Medicines Agency (EMA), Health Canada, and the Japan Ministry of Health, Labor and Welfare (MHLW).
Effective management of these risks requires skilled and experienced professionals, appropriately defined processes, and capable technology to scale to the number and complexity of devices at risk. An organization that doesn’t have these elements in place may lose the trust of its patients or their doctors. For health systems, maintaining a resilient, interconnected medical-device environment requires a collaborative approach. They need to deliver trustworthy devices and share information about the risks of the devices and how systems are managing them. Regulators often have higher expectations. In response, manufacturers are developing more transparent communication protocols to build stronger collaborative relationships with health systems.
What we’ve learned over the past several years from regulators, manufacturers, and HDOs is that building and operating a medical device security organization is challenging, but well worth the effort. Leading organizations that have invested in establishing and fine-tuning their medical-device security programs have flexibility and tools to better manage operational, commercial, and regulatory risks. Medical devices that are seen as more trustworthy could give their manufacturers a competitive advantage as their competitors try to catch up. Manufacturers with a solid risk management program are better poised to lead in the trustworthy, transparency, and resiliency game.
1 IOT Healthcare Market, Global Forecast to 2022, MarketsandMarkets, 2017. See also: https://www.marketsandmarkets.com/PressReleases/iothealthcare.asp
2 FDA press release, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices workshop https://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/ucm623171.html