Medical Device Regulation
Medical devices are broad in their capabilities, functionalities, uses, and regulation criteria. The FDA defines a medical device as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory…” that:
- Is recognized in the National Formulary or the U.S. Pharmacopoeia
- Is intended to diagnose disease and help treat or prevent disease and
- Affects bodily function.
Medical devices have always been regulated by the FDA or other government organizations, but over the past few years these devices have changed in their complexity and capabilities, making regulation harder but also even more important. We live in a time where people can wear devices that gather and maintain medical information. These are called wearable devices. They use technology, such as Bluetooth and Wi-Fi, to gather medical information about their users. Some consumers also wear Fitbits, which use Bluetooth to track and catalogue movements, heart rates, activity levels, and calories burned. Fitbits and Jawbone specifically have been deemed, by the FDA, as health awareness and coaching devices and are not subject to regulation or scrutiny. These devices do not claim to treat or cure any type of ailment or disease, so they are not medical devices; although, as we look at these devices, it is a reminder of the advances that have been made in the medical community. Over a million devices are using Bluetooth technology, including glucose monitors, oximeters, inhalers, and stethoscopes.
Medical devices are now also performing 3D-printing, enabling touchscreen, Wi-Fi, networking, and even robotic technologies.
The FDA has a Center for Devices and Radiological Health (CDRH) that is responsible for the regulation of medical devices. They regulate any entity that manufactures, imports, or repackages medical devices that are to be sold in the U.S. These devices are placed into one of three classes, I, II or III. The class type determine the level of regulation that will be used, with Class I requiring the least and Class III requiring the most. A Class I device will not require any type of premarket approval, whereas a Class III device does. A Class II would need to release a Premarket Notification 510(k) to meet regulatory requirements.
Class I is a “general controls class,” meaning the device poses minimal risk. Surgical instruments are an example.
Class II contains most medical devices. Some examples are contact lenses, ultrasound scanners, certain pregnancy tests and powered wheelchairs.
Class III devices support or maintain life. This would be implanted items, such as pacemakers.
The 510(k) needs to be submitted at least 90 days before any type of marketing begins. During that time, the FDA makes various determinations concerning the device, its similarities to other pre-approved devices, and its safety.
Some devices are based on standard platforms types, such as Windows or *nix variations, while others use non-standard platforms. For the devices using standard platforms, security measures ca be viewed as easier because patch updates and adjustments are released openly and easily and can be managed with minimal effort. For non-standard or more proprietary platforms, the devices may need to be sent back to the manufactures for updates, which can create delays in care or supply chain security considerations.
Dr. Phil, the famous TV psychologist, has released an app called “Doctor or Demand,” where licensed doctors are available through the app to treat, diagnose, and counsel a patient’s medical issues, while in the comfort of their home. These types of apps can also be considered medical devices and are considered their own platform.
MMAs or mobile health apps, are also regulated by the FDA. These devices run on various platform types, including Android, IOS, Blackberry, and others, which increases the scope and reach of the regulatory concerns.
The FDA has issued patch guidance for manufacturers of medical devices. If the devices use off-the-shelf (OTS) software, connect to a network, or have security vulnerabilities, they are subject to this regulation. For devices that use commercial OTS software, patch management is of the utmost importance, as these platforms are always targeted for potential vulnerability exploit capabilities. The FDA does not need to provide any type of approvals for a device to be patched, unless the patch changes how the device works, or in some way will make it less safe or less effective. It is expected that the manufacturers have a plan in place for patch management and how to most effectively follow it.
Just as manufactures and users are expected to perform patch management, anti-virus protection should be implemented, as well. The FDA mandates up-to9date firewall and anti-virus software be used where they can. Some medical devices have proprietary software platforms that could make anti-virus use more difficult, but every attempt should be made to scan for malware.
Segmentation and Network Protection
Medical devices using Bluetooth technology that uses AES encryption to ensure more secure network standards and frequency-hopping radio to help eliminate any network interference.
The FDA mandates the use of firewalls when applicable, but this regulation does not provide network segmentation steps. Network segmentation is an additional security layer that could add some additional control between the device and the network, reducing the attack surface area.
The FDA issued rules concerning encryption and authentication rules for medical devices. Any wireless network that is used to transmit medical data is expected to be a secured network. To prevent hacking of medical devices, authentication and encryption are mandated. No specific encryption types were mandated in the regulation, but the suggestion is to use “state-of-the-art encryption and authentication methods.” Bluetooth Smart uses 128-bit AES as its encryption standard.
In conclusion, cybersecurity concerns in medical devices is a growing concern as these devices become increasing complex in their use of technology and the desire to target medical data is increasing. The FDA is the main organization responsible for regulating medical devices and ensuring that cybersecurity concerns are addressed in these regulations as well.