MDR compliance 101: Medical devices from cybersecurity point of view Part 1.

What does the future hold for medical device manufacturers?

IoT  healthcare devices are relatively new on the market, and they are gaining popularity with an ever-increasing speed. However, as medical device manufacturers are building devices with healing and state-of-the-art technology in mind, they frequently forget about the security of these tools. Additionally, cybersecurity is not their primer profile. The combination of these factors makes medical devices the optimal target for malevolent hackers.

We decided to create a series of articles in order to thoroughly explain this phenomenon, to show medical device manufacturers why cybersecurity is so important, and to inform them about the latest regulatory changes affecting the way they need to build their products in the proximate future.

In this article we will explore the following topics:

1. Factors driving the global growth of IoT healthcare devices.
2. Why are they a popular target of cybercriminals?
3. The European MDD regulation, and the new MDR regulation.
4. What do manufacturers need to do to comply with the new expectations, and who they can turn to for assistance?

Let’s dive in!

The growth of connected devices within the healthcare industry

Smart products and IoT technologies in the healthcare sector are becoming more and more prevalent. In 2019, 30.3% of all IoT devices were used in the healthcare industry, which grew to 40% in 2020. Forecast experts estimate that healthcare-related IoT revenues will reach a value over $135 billion globally.

Why is this sudden and rapid growth?

The answer is simple.

First of all, using these devices at home in order to monitor the condition of patients saves loads of time and money for healthcare institutions. They are easy-to-use, and patients can swiftly send their records to their doctors for a check-up. There’s no need to travel, stand in long lines, and people don’t have to worry about catching something from other admitted patients.

Secondly, there is a lack of professional healthcare workforce, including nurses and doctors, while the number of those who require assistance are constantly on the rise. As a result, workers have less time for each patient, which can decrease the quality of service.

Smart connected devices are a great option to alleviate the negative effects of this global trend. These devices range from: monitoring tools that track remote patients, such as glucose, heart-rate, hand hygiene, depression and mood, or Parkinson’s disease, all the way to remote dosage injectors, robotic surgery solutions, connected contact lenses, ingestible sensors, connected inhalers, without being exhaustive.

Lastly, these IoT medical devices are trendy, convenient, and solve real problems, while they are highly profitable for manufacturers and healthcare institutions alike. There is a huge demand for medical solutions that help people save time and energy, which is driving the current global growth of the smart healthcare device market.

But what about cybersecurity?

We are all certain that these devices are strong, and sophisticated from a technological point of view, but the level of their security is a completely different question. Unfortunately, medical devices constantly suffer from security vulnerabilities, like injection flaws, broken authentication, sensitive data exposure, broken access control, security misconfiguration, insecure deserialization, and insufficient logging & monitoring.

These devices are a prime target of cyberattacks due to the high proportion of security weaknesses, which makes them an easy prey for cybercriminals. But why don’t manufacturers pay more attention to it?

We need to keep in mind that healthcare device manufacturers need to comply with a wide range of regulations in order to market their products, and so far, there hasn’t been any internationally applicable governance that would require them to build more secure solutions. The loose regulations and the intensive demand from other segments landed the question of cybersecurity among the last items on their priority list.

Moreover, the purchased medical devices often come with software solutions, like mobile or web applications which are used to track and analyze the measured data, while keeping in touch with the allocated medical professional. These add-on services make these connected devices even more appealing to hackers. By hacking them, cybercriminals can easily access the providers’ database to obtain and exfiltrate personally identifiable information (PII), which they use to blackmail the institution or the manufacturer. Incidents like this can result in huge financial expenses for the threatened party, as either they pay the requested sum, or they risk losing their customers, paying a governmental penalty, and rebuilding their own IT system.

This is the threat that lawmakers identified in recent years, which is why they incorporated regulations concerning cybersecurity into the MDR/IVDR.

What is MDR?

MDR (Medical Device Regulation), which counts as a real game-changer in the industry, was framed in 2017 and would have come into effect in 2020, though its date of application was postponed to May 26, 2021, while that of the IVDR to 2022. The reason behind this decision was to relieve pressure on national authorities, Notified Bodies (NB), manufacturers, and other stakeholders, in light of the COVID-19 crisis.

Note: The EU Health Commissioner, Stella Kyriakides proposed plans to delay the deadline for MDR certification to 2027 for high-risk devices and 2028 for medium and low-risk devices. The European Parliament will most likely decide on the plans in January, 2023.

MDR is the new regulation replacing MDD (Medical Devices Directive) that was established in 1994. In the MDD, the question of cybersecurity was mentioned only in one sentence, which has been expanded to a 47-page-long segment in the new MDR. This significant change shows us how legislators are pressing for a higher standard of cybersecurity requirements.

MDR defines and narrows the scope and angle for developers and manufacturers to determine if their goods and services are considered medical devices. The regulation wants to make it clear that these technologies are either IT devices (hardware and software based) or legacy devices with smart component attachments. Either of which has different security expectations that they need to fulfill. The MDR subjects medical devices to proper examination, evaluation, monitoring and treatment support, which is great news for security-conscious manufacturers, and those patients, who were holding themselves back from such solutions because of the fear of data theft.

According to the new MDR regulations, manufacturers will need to comply with:

1. introductory review of the relevant European and International guidance,
2. pragmatic implementation of security risk management and design controls like the ones defined in AAMI TIR57 and IEC 60601-4-5,
3. EC 62443 part 4, ISO 27000 series, if necessary.

Why is MDR so important?

The MDR is revolutionary because it not only defines medical devices as high-profile products on the market that should be tested and certified, but also creates a framework through which medical devices should be evaluated.

This certification and evaluation framework is a huge step forward from a security standpoint, which will eventually result in a safer cybersecurity environment, thus supposedly further promoting the expansion of the smart healthcare industry.

Complying with the regulations of MDR is compulsory for all manufacturers, vendors and providers who want to access the European market with their products, as failing to meet the standard can result in fines, litigation, product recalls, design change, and lost access to materials and markets.

What can you do as a manufacturer to comply with MDR?

It is important to know for all, who are affected by this change, that compliance assessment and certification are handled by a designated organization. While there are many crucial factors you, as a manufacturer, need to pay attention to in this respect, fortunately some professional organizations, like CCLab, can help you prepare for the submission. Our team acts as an advisor to help you guide through the tasks you need to complete and the documents you need to obtain in order to make sure you have everything to get the certification, and pass the assessment. By partnering with QTICS Medical Group, we are able to provide a 360° package to our clients that encompasses all fields of the MDR/IVDR compliance.

In the next segment of the series we will continue with the topic of MDR and dive deeper into what are the key components of a proper MDR compliance. Read now HERE.