Digitization of healthcare and patient data has gained serious traction on a global scale, driven by the increased demand for connectivity. While this is partly due to the limited face-to-face patient care during the global pandemic, there is now an evident shift away from traditional clinical settings for healthcare. Therefore, when it comes to medical devices, it has never been timelier to consider a cybersecurity strategy to maintain patient safety and confidentiality.
I sat down with three of PI’s medical device experts – Penny Liberogiannis (Manager Legal, Risk, and Compliance), Ram Kannan (Quality and Regulatory Manager, Design & Development), and Florin Pintilie (Project Manager, Digital Software) – to talk about cybersecurity and privacy.
Cybersecurity is a broad term – how specifically does it apply to medical devices?
Ram: I think there are two main factors: firstly, there is the risk around safety, and then there is the security risk. When you put them together, you have this overlap in the middle which is a security risk with a safety impact. An example of this is someone taking over an implantable device or hacking into a ventilator – the security wall has let the hackers in and now there is the added threat to patient safety if someone is using that device. This is how we look at the matter at PI when working with clients; it must be a holistic view right from the start.
Penny: The nature of data that you are talking about with a medical device – even healthcare data in general – can’t be dismissed. Therefore, cybersecurity isn’t something you can choose not to think about.
When we talk about healthcare data – what specifics are we referring to?
Penny: Healthcare data is about an identifiable person’s health status and includes information or opinion about illness, injury, or disability. Examples of health information include notes of symptoms or diagnosis; information about a health service a person has had or will receive; specialist reports and test results; prescriptions; dental records; genetic information; a person’s wishes about future health services and potential organ donation; appointment and billing details, and any other personal information about an individual when a health service provider collects it.
Ram: With regards to regulation, there are clear definitions. Under the United States’ Health Insurance Portability and Accountability Act of 1996, protected health information (or PHI) is considered any identifiable information that is used, maintained, stored or transmitted by healthcare providers, health plan or a health insurer. PHI exists in any form – physical records, electronic records or even spoken information. Similarly, the General Data Protection Regulation (GDPR) in Europe outlines the classification of personally identifiable information as any data that could potentially identify a specific individual.
The way that medical devices are used seems to be constantly evolving – what does this mean for cybersecurity?
Florin: The playing field has changed now because medical devices are no longer limited to clinical settings. Now, we have the technology to measure parameters of medication; monitoring heart rates, respiratory rates, and so on – but it sits outside a confined setting so there is a significant cybersecurity risk. A few years ago, telehealth and Electronic Health Records were not part of our everyday lives; now they are the new normal. While this is a positive thing, it also means that the implications for cybersecurity have changed, and products can be more vulnerable.
Penny: You would still expect privacy to be maintained both within and outside the clinical environment. Unfortunately, the type of data that we are talking about is extremely desirable to hackers and there is a lot of motivation to target medical devices. In the wrong hands, it can cause detrimental harm to an individual (such as reputation, social or financial harm), and the organizations that handle or hold it has a responsibility to keep it safe. Hackers know this and can leverage this for financial gain.
How has the regulatory landscape for medical devices evolved?
Florin: There is so much more regulation now for the protection of personal and health data. It’s been a global change – Europe was a big milestone with General Data Protection Regulation (GDPR) which now is the toughest privacy and security law in the world.
Ram: Previously, the level of understanding about these issues varied greatly among manufacturers; if they were a big or small size company not everyone had the same knowledge or grasp of the requirements. So, regulators aimed to bring everyone together by setting standards and preparing guidance; but in their own ways – so the TGA, the FDA, and so on have their guidance, but the common goal has always been safety and security. Specifically, the FDA and the TGA sets out cybersecurity guidance for the industry as well as guidance for users, to ensure that the entire medical device sector (developers, manufacturers, sponsors, clinicians, and patients) is across security practices and protocols.
So, it’s in everyone’s best interests to consider a cybersecurity strategy?
Penny: Absolutely – and people seeking to enter the market shouldn’t be scared, either. When you think of information as an asset, it’s a natural progression to want to protect it – cybersecurity and data privacy are all about protecting and securing valuable information. It can improve how we work. A good cybersecurity strategy is not a one size fits all situation; it’s scalable and it’s contextualized to what you want to achieve.
Florin: From a software development point of view – it can be very costly to retrofit software into a medical device, had it not been considered from the start. You also must think about the end-user – people are less comfortable sharing their data and more concerned about how it is being used.
Ram: There is a view that compliance is costly, but believe me, non-compliance costs even more!
Whereabouts in the product development journey, do privacy and cybersecurity fit?
Florin: If you’re building a product that deals with personal data and health data, you no longer have the option of thinking ‘Oh, we’ll worry about that later’ – you must deal with it from the onset. Our software team writes software requirements so that from the get-go we are across it and it’s not something tacked on once a product has been built.
Ram: As Florin mentioned earlier, it can be prohibitively expensive to retrofit software if you haven’t considered compliance from the get-go.
Penny: It’s privacy by design – thinking about it organically from day one rather than after you’ve created a product. You want to build it into your conceptualizing of what you want your device to do. These days, security and privacy are part of any service so it’s only natural that it forms part of the product development process. Also, keeping the end-user in mind the whole time is important – consumers are so much more aware of privacy, and they want to know what safeguards are in place. The end-user plays an enormous role from the very beginning.
Is it possible to be ‘innovative’ with cybersecurity when it comes to medical devices?
Penny: It certainly is. While there are elements that you cannot compromise, you can be innovative in how you achieve a cyber-safe product. Firstly, it’s important to understand the environment in which the medical device will operate – this will inform the solution. Secondly, connected medical devices produce efficiencies and rich data that can drive innovation and improvement. The key is to bring cybersecurity considerations into the early stages, just like any device safety consideration.
How does PI operate with this type of regulation, given clients are entering different markets at any given time?
Florin: We operate in a highly regulated environment and since PI’s inception we have taken a risk-based approach to product development. Certainly, the fact that we have a regulatory team embedded as part of our development team, we frequently engage in dialogue and discussions about new changes in regulations and standards, and how we could efficiently include these changing landscapes as part of the product development process.
Ram: The rigor in every country’s regulatory jurisdiction is different. So, what we as the manufacturer should do, is understand what the highest rigor is and then approach that with a key concept such as safety by design, and privacy by design. Thinking, from the very start, about making products as safe as possible with a risk-based approach (least burdensome approach).
Closing comments:
We are living now in a world full of digitalization and connectivity – while it enables faster sharing of information and delivery of outcomes for patients, it also leaves medical devices increasingly exposed to cyber-attacks. We cannot eliminate these threats entirely but what we can do is ensure that we are building the safest and most reliable devices for our clients and their end users.