Over the past decade, device security has become a more high-profile topic as medical device manufacturers incorporate next-generation technology to allow for connectivity and real-time monitoring by patients, caregivers, and physicians.
As we wrote about in January and February of this year, the boom in personalized medicine continues at breakneck pace, changing the way we think about and interact with modern medicine. While the term “personalized medicine” was first and most frequently used in the context of gene therapy, the broader definition of personalized medicine encompasses medical devices, especially implantable medical devices (IMD), among other forms of personalization.
As with most forms of personalized medicine, there is a bilateral flow of information that occurs between the patient and the medical provider. Medicine has seen a vast increase in the treatment scenarios that call for a real-time free-flow of data between the patient and the medical provider in order to facilitate medical intervention and best outcomes—and medical device makers are there to meet that demand.
Let’s take a look at the evolution of the pacemaker, the progenitor of the modern cardiac implantable device. Commercially available for the first time in the 1950s, the external pacemaker laid the foundation for implantable medical devices powered by battery. Now, millions of pacemakers are implanted each year around the world. The components of the pacemaker consist of a hermetically sealed metal case which houses a lithium battery-powered pulse generator, sensing amplifiers, a microprocessor, and output power circuits. The device is connected to electrodes in the heart’s chambers, which stimulate the heart. Traditionally, this stimulation, or “pulsing” could not adjust to the patient’s physiological demand, such as exercise, but pacemakers evolved to conduct their own decision-making by sensing the patient’s altered physiological condition, and adjusting accordingly.
So, the pacemaker had evolved to deliver appropriate up-to-the-minute intervention to the patient, without communicating directly—in real time—with the patient’s medical provider. But another recent evolutionary jump for pacemakers involved communication: remote cardiac monitoring which improves clinical efficiency by allowing the pacemaker to transmit critical data directly to the patient’s doctor. This new standard of care saves lives but, as one would expect, also presents with serious information security and privacy concerns.
Interconnectivity’s Tension between Accessibility and Device Security
With the way paved by the pacemaker, the expanding menu of bioengineered IMDs now includes defibrillators and other cardiac devices, neurostimulators, drug delivery systems, and a host of real-time vital monitoring systems. With each additional problem addressed by an IMD, another privacy concern develops. The stakes of a data breach are exceedingly high, including threats to the integrity of the IMD, and—especially in the case of remotely reconfigurable devices—the immediate safety of the patient.
As a whole, the implantable medical device space is rightfully laser-focused on balancing the need for data accessibility with the need for an extremely high level of privacy and security. This conundrum is most clear in the case of the need for emergency access to the IMD. For instance, many IMDs have two main states: normal and emergency. In normal mode, the IMD must engage security features that render it undetectable to outsiders. However, in an emergency, the IMD must be detectable and potentially configurable. These countervailing aims must be addressed within the constraints of each IMD’s limitations, such as battery life, storage capacities, and computing power.
The FDA and other organizations, such as the National Science Foundation and the Department of Homeland Security, have been working to set cybersecurity standards for the design of medical devices. In April of this year, the FDA issued the Medical Device Safety Action Plan, which lays out the regulator’s efforts to address, in part, medical device security.
Specifically, the Plan indicates the FDA “has been taking steps towards creation of a collaborative, multi-stakeholder environment that fosters communication about cybersecurity vulnerabilities that may affect the safety, effectiveness, and security of medical devices, or the integrity and security of the surrounding healthcare IT infrastructure. FDA also continues to work with external partners to advance the state of cybersecurity in the medical device ecosystem through several initiatives, including supporting the establishment of additional medical device vulnerability Information Sharing Analysis Organizations (ISAOs).”
Medical device makers would do well to partner with the FDA and other organizations to set cybersecurity and device security standards for the industry, bringing a level of certainty and assurance to regulators, patients, medical providers, and manufacturers alike.