By Steven Darroch, Senior Manager, and Nick Sikorski, Manager, Deloitte & Touche LLP


This week's blog, by Steven Darroch and Nick Sikorski from the US firm, first appeared on the US Center for Health Solutions blog site. The blog follows on from our report Medtech and the Internet of Medical Things: How connected medical devices are transforming health care and a public workshop held by the FDA, and explores the importance of medical device safety and how to mitigate operational, commercial and regulatory risks.

An ever-expanding list of medical devices are able to generate, collect, analyze, and transmit data, creating the Internet of Medical Things (IoMT)—a connected infrastructure of health systems and services. As connected devices have become more common, the ability to protect digital information has become essential. Manufacturers that have a solid risk-management strategy could gain a competitive advantage.

By 2022, the IoMT market is expected to top $158 billion.1 Medical device manufacturers estimate that almost half (48 percent) of their products are data-generating connected medical devices. Over the next five years, they expect that percentage will jump to 68 percent, according to a 2018 report from Deloitte that explored connected medical devices.

Notable progress is being made when it comes to safeguarding connected medical devices and the data they contain. Regulators, manufacturers, and health care delivery organizations (HDOs) have all had a seat at the table, and they have provided valuable input and solutions. As a result, organizations are better armed to more effectively manage the risks (and reap the benefits) in this rapidly evolving space.

Early this year, the US Food and Drug Administration (FDA) Center for Radiological Health (CDRH) held a two-day public workshop to review an updated draft of its Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (pre-market guidance), which the agency released in October 2018.2 The draft guidance provided the industry with updated recommendations on cybersecurity for device design, labeling, and documentation that the FDA recommends including in premarket submissions for medical devices with cybersecurity risk.

Deloitte practitioners joined several hundred other participants in Maryland to meet with the FDA, medical device manufacturers, health systems, and cybersecurity specialists and researchers on the future of medical device security. The FDA Commissioner kicked off the workshop by outlining three core focus areas the agency considers essential for medical device cybersecurity: trustworthiness, transparency, and resilience. Plenaries, panels, and breakout sessions explored a wide range of topics and provided input on FDA’s draft guidance.

Participants represented various industries across the globe. Many of the topics discussed revolved around patient safety. There were debates on the semantics of trustworthiness, and detailed discussions on threat modeling, vulnerability scoring, and the development, use, and maintenance of a cybersecurity bill-of-materials (a manufacturing term for the pieces and parts used to build a product). It was clear from the meeting that risk fuels performance—meaning that taking the appropriate risks at the appropriate time can have highly positive results in securing medical devices. Understanding those risks, prioritizing them, and managing them effectively requires detailed knowledge across operational domains. Additionally, device manufacturers need to strike the appropriate balance—applying the right level of security control to products while remaining operationally efficient.

The three risk categories for connected medical devices

When it comes to patient safety, we see three main risk categories for connected medical devices: regulatory, commercial, and operational. Understanding the risks in these three areas—and linking their relevance to each person—is critical to providing safe patient care while protecting the privacy of related records:

  1. Operational risk: A medical device cybersecurity incident can impact clinical operations and have patient-safety implications. The industry now includes cybersecurity (e.g., a patient being diverted due to unavailable medical devices) in its view of what can impact patient safety. Organizations must manage the risks effectively and efficiently.
  2. Commercial risk: A medical device manufacturer might not be able to effectively market its products or services if a competitor’s products or services are more secure and therefore safer for use with patients. Brand reputation is an important consideration when health systems make product decisions, and there could be a significant concern for what could go wrong commercially.
  3. Regulatory risk: This can occur when an organization cannot or does not comply with relevant regulatory standards for established and emerging products. The FDA is focused on ensuring safe and secure products for patient use. Other relevant bodies include the European Medicines Agency (EMA), Health Canada, and the Japan Ministry of Health, Labor and Welfare (MHLW).

Effective management of these risks requires skilled and experienced professionals, appropriately defined processes, and capable technology to scale to the number and complexity of devices at risk. An organization that doesn’t have these elements in place may lose the trust of its patients or their doctors. For health systems, maintaining a resilient, interconnected medical-device environment requires a collaborative approach. They need to deliver trustworthy devices and share information about the risks of the devices and how systems are managing them. Regulators often have higher expectations. In response, manufacturers are developing more transparent communication protocols to build stronger collaborative relationships with health systems.

What we’ve learned over the past several years from regulators, manufacturers, and HDOs is that building and operating a medical device security organization is challenging, but well worth the effort. Leading organizations that have invested in establishing and fine-tuning their medical-device security programs have flexibility and tools to better manage operational, commercial, and regulatory risks. Medical devices that are seen as more trustworthy could give their manufacturers a competitive advantage as their competitors try to catch up. Manufacturers with a solid risk management program are better poised to lead in the trustworthy, transparency, and resiliency game.


Steven Darroch, Senior Manager, Deloitte & Touche LLP

Steven Darroch is a Senior Manager in Deloitte’s Cyber Risk Service offering. His nearly two decades of global experience include executive coaching and subject matter advisement on effective technology governance, cyber risk strategy, digital transformation and product security. He helps large medical technology, global pharmaceutical, health care and governmental entities to innovate in a secure, safe, and compliant manner. Steven actively advises organizations’ leaders on managing risk to fuel performance—particularly in planning for and addressing incidents and building resilience from a digital perspective across cyber frameworks, regulations and laws. He is a frequent speaker and writer who holds a Master of Science in Accounting and is a CISA, PMP and ISO27001 lead auditor.

Email | LinkedIn


Nick Sikorski, Manager, Deloitte & Touche LLP

Nick Sikorski is the Global Strategy and Solutions Leader for Deloitte’s Medical Device Safety and Security (MeDSS) practice, which focuses on helping clients secure connected medical devices and other life sciences products. In this role, Nick primarily works with medical device manufacturers and health care providers designing, developing and implementing enterprise-level medical device security programs. At the device level, Nick helps define security requirements, develop product security risk assessment frameworks, and conduct product security risk assessments. Beyond consulting, he is active across the life sciences and health care industry through his work on the Association for the Advancement of Medical Instrumentation’s (AAMI) medical device security workgroup. Nick regularly contributes as a speaker and contributor on various panels and with media and industry organizations on the topic of medical device cybersecurity. Nick received a Bachelor of Sciences degree in Civil Engineering from the University of Notre Dame. In addition, he holds Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP) credentials.

Email | LinkedIn


1 IOT Healthcare Market, Global Forecast to 2022, MarketsandMarkets, 2017. See also:
2 FDA press release, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices workshop


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.