Cyberattacks and data theft are a serious problem in many industries, but in healthcare the consequences could be physically dangerous or even deadly or enrich the pockets of bad actors on the dark web.
Following years of discussion and development between engineers, medical professionals and the U.S. Food and Drug Administration, the Institute of Electrical and Electronics Engineers (IEEE) has published and released the IEEE Medical Device Cybersecurity Certification Program.
The program provides a framework for medical companies to have devices tested to meet rigid cybersecurity standards and earn a certification label. The driving factor early on for the standards was the White House’s cybersecurity directives issued in 2021, which among other things, pressured the FDA to increase protection of medical devices.
The first medical devices from companies, including Ascensia, have been certified under the new IEEE Medical Device Cybersecurity Certification Program. Test facilities from atsec in Sweden, Germany, and the U.S. have been officially recognized under the program.
Driving Conformity
By submitting medical devices for IEEE certification, manufacturers can demonstrate conformity with an international standard. Having their devices evaluated against a rigorous test plan and checklists by IEEE authorized third-party test labs helps to ensure conformance with the IEEE 2621 standard. This may expedite the approval process by regulatory bodies.
IEEE and the IEEE Standards Association (IEEE SA) launched the program in 2023 as a result of the work done by the IEEE 2621 Conformity Assessment Committee (CAC), composed of stakeholders such as manufacturers, clinicians, the FDA, test laboratories, cybersecurity solutions providers and industry associations. It aims to help address cybersecurity risks in medical devices that capture and manage user bio data and impact quality of life.
Atsec labs in Danderyd, Sweden, Munich, Germany and Austin are the first to be officially authorized to test medical devices under the IEEE Medical Device Cybersecurity Certification Program.
"We enthusiastically embraced the opportunity to become a player in this domain when IEEE first contacted atsec in July 2022," said Sal La Pietra, President and co-founder of atsec information security. “We're particularly proud of this achievement because it follows the successful completion of two pilot projects that used the IEEE 2621 standard for medical device testing. These projects allowed us to refine our processes and demonstrate our expertise in applying this standard," added Rasma Mozuraite Araby, CEO of atsec AB in Stockholm, Sweden.
The First Recall
One of the driving forces behind the new standard was Dr. David Klonoff, Medical Director for, Diabetes Research Institute at Mills-Peninsula Medical Center in San Mateo, Calif. A growing number of people with diabetes are turning to connected diabetes devices (CDDs) to monitor and manage their condition in an automated fashion, with wireless automatic transfer of data and treatment commands.
CDDs include blood glucose monitors, continuous glucose monitors, insulin pumps, smart insulin injection pens and automated insulin dosing systems.
For example, data generated by a continuous glucose monitor is wirelessly transmitted to an app on a smartphone, smartwatch or other devices, or to a cloud platform. Not only is this device used to issue alerts when glucose levels are out of range, but the continuing flow of data enables patients and healthcare professionals to see trends and patterns, which provide a more complete, nuanced picture of an individual’s status, Klonoff has noted.
For automated insulin dosing systems, the data is also used to direct a CDD worn by the patient to dispense insulin in controlled amounts at certain times.
In 2019, the FDA warned patients and healthcare providers that certain Medtronic MiniMed insulin pumps were being recalled because of potential cybersecurity risks. It was the first time a connected diabetes device has been voluntarily recalled by a manufacturer because of cybersecurity vulnerabilities, Klonoff wrote in an article published in the Journal of Diabetes Science and Technology.
“The outcome could be life-and-death type situation. If a cyber attacker were to go in and try to adjust your insulin levels, you could have a very, very bad outcome as opposed to someone hacking your credit card account, which is equally bad, but no one's going to die from that,” says Ravi Subramaniam, Acting Senior Director for Global Business Strategy and Intelligence at the IEEE Standards Association.
Embracing the Standard
“There have been number of cases when the medical devices were hacked, but nobody really wants to talk about it. This is really not good news for the industry, for the manufacturers or for the patients,” adds Ted Osinski, Program Manager for IEEE Certification Programs. “I think the medical device manufacturers, by and large, have taken notice of it. They've started to insert cybersecurity precautions in the products, starting from the design. Now they have consultants on staff. They know the future of the company depends on that. And so when they come to us, they usually, you would say they're prepared.”
IEEE does not guarantee a device manufacturer that collaborates with them will get FDA certification, Osinski notes, but the organization can help manufacturers prepare for the stringent FDA submission and certification process, which takes 2-3 months.
The test labs inform the device manufacturers what materials to submit, with the most important one being a document called the security target. From there the lab begins testing the product and working with the manufacturer to discuss the results and what additional safety steps may be needed.
There are three levels of testing based on the type of device and its criticality based on patience outcomes. IEEE evaluates the test reports and if they are satisfactory, IEEE issues a certification mark for the devices and places it on a registry.
Labs who want to be part of the program also go through an IEEE audit process, where the organization performs an onsite evaluation of facilities and lab capabilities and also evaluates personnel performing the testing.
The certification is good for three years, but if there are changes to a product it could require recertification or even a retest. The registry also includes the software version tested, and any changes could trigger a recertification requirement.
The FDA can also refuse to accept a device that does not have cybersecurity features in it, which Osinski and Subramaniam say is a critical change because that wasn’t done before.
The testing labs themselves must be re-audited on their certification with IEEEE every two years.
“The threat conditions continue to evolve day to day. Attackers are very, very sophisticated,” Subramaniam says. “Our test plan and the standard helps the industry to even go beyond the daily change in the threat landscape. It really allows you to analyze the security target at what level of threat there is and perform the testing based on that.”
Subramaniam believes the IEEE program will be embraced by the medical industry because it will be one international standard to follow, as opposed to trying to please regulators from every country they do business in.
“It also resolves a lot of headaches for the regulatory agencies that are struggling within their own region. Not to say that this program is going to address every single region's concerns, but at least it could be sort of general layer and then the regions may have more specific requirements themselves,” Osinski says. “But it really helps to reduce the burden, the cost and time needed to get the product into the market.”
