Cyber attacks and data theft are serious issues across many industries, but in healthcare the consequences can be physically dangerous, potentially deadly, or just line the pockets of bad actors on the dark web.
After years of discussion and development between engineers, medical experts, and the U.S. Food and Drug Administration, the Institute of Electrical and Electronics Engineers (IEEE) has published and released the IEEE Medical Device Cybersecurity Certification Program.
The program provides a framework for medical companies to test and label their devices to meet rigorous cybersecurity standards. An early driver for the standards was a White House cybersecurity directive issued in 2021 that, among other things, pressured the FDA to better protect medical devices.
The first medical devices from companies including Ascensia have been certified under the new IEEE Medical Device Cybersecurity Certification Program. atsec testing facilities in Sweden, Germany and the United States have been officially recognized by the program.
Fitness for driving
By submitting their medical devices for IEEE certification, manufacturers can demonstrate compliance with international standards. Having your device evaluated by an IEEE-accredited third-party testing lab against rigorous test plans and checklists ensures compliance with the IEEE 2621 standard, potentially speeding up the regulatory approval process.
IEEE and the IEEE Standards Association (IEEE SA) launched the program in 2023 as a result of the work of the IEEE 2621 Conformity Assessment Committee (CAC), which is comprised of stakeholders including manufacturers, clinicians, the FDA, testing laboratories, cybersecurity solution providers, and industry associations. The program aims to address cybersecurity risks in medical devices that collect and manage users’ biodata and impact their quality of life.
Atsec labs in Danderyd, Sweden, Munich and Austin, Germany, are the first labs officially accredited to test medical devices under the IEEE Medical Device Cybersecurity Certification Program.
“When IEEE first reached out to atsec in July 2022, we enthusiastically embraced the opportunity to become a player in this field,” said Sal La Pietra, president and co-founder of atsec Information Security. “We are especially proud that this achievement comes after two successful pilot projects using the IEEE 2621 standard for testing medical devices. These projects allowed us to refine our processes and demonstrate our expertise in applying this standard,” added Rasma Mozraite Arabi, CEO of atsec AB, Stockholm, Sweden.
First Recall
One of the driving forces behind this new standard was Dr. David Klonoff, medical director of the Diabetes Institute at Mills Peninsula Medical Center in San Mateo, Calif. Diabetics patients are increasingly using connected diabetes devices (CDDs) that wirelessly and automatically transmit data and treatment commands to monitor and manage their condition.
CDDs include blood glucose monitors, continuous glucose monitors, insulin pumps, smart insulin injection pens, and automated insulin delivery systems.
For example, data generated by a continuous glucose monitor can be sent wirelessly to an app on a smartphone, smartwatch or other device, or to a cloud platform. Not only can the device be used to issue an alert when blood glucose levels are out of range, but the continuous stream of data can also help patients and medical professionals spot trends and patterns, providing a more complete and detailed picture of an individual’s condition, Klonoff noted.
In the case of automated insulin delivery systems, this data is also used to instruct the CDD worn by the patient to administer a controlled amount of insulin at a specific time.
In 2019, the FDA warned patients and healthcare providers that certain MiniMed insulin pumps made by Medtronic were being recalled due to potential cybersecurity risks. “This marks the first time a connected diabetes device has been voluntarily recalled by a manufacturer due to cybersecurity vulnerabilities,” Klonoff wrote in an article published in the Journal of Diabetes Science and Technology.
“The consequences can be life-or-death situations. If a cyber attacker goes in and tries to adjust your insulin levels, that could be very bad. On the other hand, if your credit card account gets hacked, that’s just as bad, but no one’s going to lose their life from it,” says Ravi Subramaniam, acting senior director for global business strategy and intelligence at the IEEE Standards Association.
Embrace the Standard
“There are a lot of cases of medical devices being hacked, but no one wants to talk about it. That’s really not good news for the industry, for the manufacturers, and for patients,” adds Ted Osinski, program manager for IEEE certification programs. “I think medical device manufacturers, by and large, are aware of this. They’re starting to build cybersecurity measures into their products from the design stage onwards. They have consultants on staff now. They know the future of their company depends on it, so when they come to us, they’re usually prepared.”
While IEEE doesn’t guarantee that device manufacturers it works with will receive FDA certification, it can help manufacturers prepare for the rigorous FDA application and certification process, which can take two to three months, Osinski noted.
The testing lab will tell device manufacturers what they need to submit, most importantly a document called a security target. From there, the lab will begin testing the product and work with the manufacturer to discuss the results and any additional safeguards that may be required.
There are three levels of testing based on the type of device and its importance based on the perseverance results: IEEE evaluates the test report and, if the results are satisfactory, issues a certification mark for the device and registers it in the registry.
Labs that want to join the program also undergo an IEEE audit process, in which the organization performs an on-site assessment of the facility and lab capabilities, as well as evaluating the personnel who will perform the tests.
Certifications are valid for three years, but any changes to the product may require recertification or retesting. The Registry also contains the software versions that were tested, and any changes may require recertification.
The FDA could also refuse to accept devices that don’t have cybersecurity features, which is an important change because it hasn’t done so before, Osinsky and Subramaniam said.
The testing labs themselves must be re-audited for accreditation by the IEEE every two years.
“The threat landscape keeps evolving every day and attackers are very sophisticated,” said Subramaniam. “Our test plans and standards will help the industry better keep up with the daily changes in the threat landscape. It will enable us to analyze the threat level of security targets and perform testing accordingly.”
Subramaniam believes the IEEE program will be embraced by the healthcare industry because it will be one international standard to follow, rather than trying to satisfy regulators in every country where the industry operates.
“It also removes a lot of the headaches for regulators who are struggling in each region. This program won’t address every region’s concerns, but at least this is a general layer and each region can have more specific requirements,” Osinski said. “But it really helps reduce the burden, the cost and the time it takes to get a product to market.”
