Cybersecurity and data breaches are topics of high concern for Canadians. As discussed in previous blog articles, data breaches in Canada, North America and Europe have illustrated how financially motivated hackers and human error can put personal data at risk, thereby causing potential reputational and financial harms such as identity theft, fraud and humiliation. Immediate physical harm resulting from cybersecurity risks have been less frequently highlighted as acute areas of concern but as this entry will discuss, they are certainly not going unnoticed as they relate to medical devices.
To address cybersecurity risks in medical devices, Health Canada has recently released a Guidance Document: “Pre-market requirements for Medical Device Cybersecurity.” Canada is not alone. The US Food and Drug Administration (“FDA”) had previously released similar guidance, and, just a few weeks ago, the French authorities, Agence Nationale de Sécurité du Médicament et des Produits de Santé (ANSM), released draft guidance intended to enhance the existing European framework for medical devices (the Medical Devices Regulation 2017/745 and In Vitro Diagnostic Medical Devices Regulation 2017 /746).
What are the risks?
A recent communication by the FDA is a clear example of how grave the consequences are of cyber vulnerabilities in medical devices. A glitch or error in many other industries may cause harm to personal data, corporate intellectual property and perhaps even indirect physical consequences (cyber infrastructure attacks causing power outages and delays in food supply, to name two), but none so direct and immediate as the risks associated with, for example, being able to hack a medical device and remotely change dosages or otherwise manipulate the delivery of care.
In this case, the manufacturer was made aware of a vulnerability in the wireless communication between its insulin pumps and certain other devices (such as blood glucose meters and continuous glucose monitoring systems), which would make it possible for a bad actor to access the device and make changes to the dosing of insulin that a patient receives. There have been no reports of any actual harm to patients, nor knowledge of actual attempts to access the device, but the potential for serious physical harm was such that the devices have been recalled and patients urged to switch to other models, in both the US and Canada.
Responsibility for cybersecurity in medical devices
According to Health Canada’s “Guidance Document: Pre-market Requirements for Medical Device Cybersecurity,” the primary responsibilities fall on the manufacturer of the medical device, stating that:
“Manufacturers should incorporate cybersecurity into the risk management process for every device that consists of or contains software. Manufacturers are also encouraged to develop and maintain a framework for managing cybersecurity risks throughout their organizations.”
One such framework is ISO 14971-07:2007 Medical devices – Application of risk management (ISO 14971. The Guidance Document describes how manufacturers are to incorporate the elements of this framework into their operations and manufacturing life-cycle. Manufacturers are also encouraged to adopt (and adapt) relevant aspects of the NIST “Framework for Improving Critical Infrastructure Cybersecurity” as a “blueprint of best practices to guide their cybersecurity activities, including those related to risk management.” Early-stage consideration of potential threats, similar to the principles underlying “Privacy by Design,” are also highlighted as part of a ‘cybersecurity by design’ approach.
The FDA’s guidance document on this issue also highlights the responsibility of the manufacturer but makes a clear statement that it goes beyond the device itself, noting that “[t]he heath care environment is complex, and manufacturers, hospitals, and facilities must work together to manage security risks.”
The Guidance Document applies to all Classes (I, II, III, and IV), although not every requirement will be relevant to every device type. Class III and Class IV applications will need to submit evidence of adherence to these standards as part of their licence applications. The core elements are as follows:
- Secure Design
- Device-specific risk management
- Verification and Testing
- Ongoing monitoring and response to risks (including information sharing about known or potential risks).
Secure Design principles include: a) secure communications between device and other networks devices; b) data integrity and confidentiality, for example, encryption of data; c) user access – different privileges for different required levels of access; d) software maintenance – to secure emerging risks; e) hardware and physical design; f) reliability and availability – designed to recover from attacks and are somewhat familiar from what the expectations would be from a privacy perspective, where these devices process personal health information or other personal data.
As the general threats of cybersecurity become more well-known and top-of-mind, so will the expectations of patients, hospitals, and the regulators that specific threats related to medical device security will be appropriately addressed by manufacturers. The Guidance Document only became effective June 26, 2019, and companies should be monitoring how it will be interpreted and implemented by Health Canada.
 The FDA encourages self-reporting of known issues with cybersecurity of devices.