Regulation of Connected Medical Devices and IOmT
Connected medical devices (CMDs) can produce and transmitting patient data, allowing their condition to be monitored by healthcare professionals. They are often used in decentralised clinical trials (DCTs) outside of the clinical trial site, allowing for participants who wouldn’t usually be able to attend. CMDs have led to the Internet of Medical things, a connected network of systems and which produce, transmit and analyse patient data.
CMDs and IoMT have countless applications in the healthcare and medical technology (Medtech) industries, however these devices are susceptible to cyber-attacks and data leaks. These attacks include stealing and selling private patient data to third parties, denial of service (DOS) attacks, and altering medical data which can lead to improper diagnoses and treatments.
It has been suggested by multiple authors that CMDs and other wearable activity trackers are prone to cyber-attack is that data security and privacy issues are often not considered during their development (1). Regulations for the development of CMDs in the UK fall under two categories: regulations concerning medical devices in general, and regulations concerning IoMT including data protection and cybersecurity. Medtech companies must follow both types of regulations if they wish to sell CMDs in the UK and abroad. Here we discuss the current regulations for CMDs in the UK, how they may change in response to these security issues, and how this will impact clinical trials and the approval of CMDs.
Current Device Regulations
Regulations for medical devices in the UK need to be updated to better cover the risks associated with CMDs, as many of these devices can enter the UK market with little-to-no regulatory approval especially in terms of data security. Manufacturers currently need only a Conformité Européenne (CE) mark to be sold in the EU (1). With CE marking, devices are classified according to risk from lowest (Class I) to highest (Class III), with class I devices allowed to enter the market without prior data regarding their safety in the US, EU and Japan. Devices placed in class IIb or III must carry out an audit of the whole quality assurance system or undergo an “Annex III” examination which can include examination of each product/batch, audit of the final inspection, or an audit of the production quality assurance system (2). Clinical trials to evaluate the conformity of CMDs to medical device regulations will have at least one of the following aims: (a) to verify that under normal usage, the device achieves the performance intended by the manufacturer, (b) to establish its clinical benefit as specified by the manufacturer, and (c) to establish its clinical safety (3). Many wearable devices e.g. smartwatches and activity trackers can skip regulatory approval as they aren’t currently classed as CMDs, however to be utilised in DCTs, they will need to be approved as medical devices (4).
In the UK and EU, the General Data Protection Regulation (GDPR) covers the use of medical data, as well as the Data Protection Act 2018 (DPA) in the UK as of 1 January 2021 (5). These regulations prohibit the disclosure of private data to third parties without the patient’s consent and can only be used without consent in the case of direct care and healthcare quality improvement projects. On the 24th of November 2021, the UK government issued the Product Security and Telecommunications Infrastructure (PSTI) Bill to place increased cybersecurity standards on technology companies (6). Requirements of PSTI include banning default and weak passwords, investigation of compliance failures and being transparent about fixes to security issues, with hefty fines in place if these rules aren’t followed. These regulations will force Medtech companies to constantly update devices and software found to be at risk of cyber-attack, as well as keeping the public informed on the updates. In addition, NHS-contracted organisations need to follow the NHS Code of Confidentiality and Code of Practice (5). Medtech companies hoping to sell in the UK should ensure their device meets these NHS requirements, and the NHS Data Security and Protection Toolkit 2021 states that healthcare organisations must keep an inventory of CMDs in their network (7). While these regulations prevent CMD developers from directly releasing data to third parties, they will not prevent cyber-attacks.
On the 26th of June 2022, the UK Government had a press release in which they discussed future regulatory changes regarding CMDs and data security (8). As of the 30th of June 2023, CMDs will need to carry a UK Conformity Assessed (UKCA) marking to be sold in the UK instead of the current CE markings. The UKCA marking is not recognised by the EU market as it only complies to the UK Supply of Machinery (Safety) Regulations 2008 (9), meaning Medtech companies hoping to enter both markets will need to follow the regulations of both markings. In addition, the government intends to introduce pre-market regulations similar to the EU MDR General Safety and Performance Requirement (GSPR) 17.4 regarding cyber security for medical devices. Following this regulation, hardware, IT networks and security measures must meet minimum requirements including protection against unauthorised access needed to allow the software to run efficiently (10).
Where regulation may fall short of innovation in the changing landscape and possible solutions
Currently, medical device regulations such as the Conformité Européenne (CE) and UKCA markings don’t intersect with cybersecurity and data protection regulations, meaning CMDs can currently be sold in the UK despite being susceptible to data leaks. There is no evidence to suggest that this will change soon, however possible future rules to combine these types of regulation may include classing data security as a component of patient safety in clinical trials. In addition, pre-market trials of CMD cybersecurity could be performed using simulated malware to test for vulnerabilities in CMDs, including software and AI networks (1). These regulations will force Medtech companies to consider the cybersecurity of their devices more strongly during the design and production stages of development, preventing cyber-attacks instead of retroactive changes following data leaks.
CMDs have revolutionised modern healthcare, however IoMT is still in its infancy and cybersecurity risks and subsequent regulatory changes are to be expected. These changes will likely stall the development and sale of CMDs due to increased care during development and stricter pre-market trials, however regulations are necessary to ensure patient data remains private for the safety and security of the public.
References:
1) Hernández-Álvarez L, Bullón Pérez JJ, Batista FK, Queiruga-Dios A. Security Threats and Cryptographic Protocols for Medical Wearables. Mathematics. 2022 Mar 10;10(6):886. – Available from: https://doi.org/10.3390/math10060886
2) CE Marking – Medical Devices Class III [Internet] 2021 – Available from: http://www.ce-marking.com/medical-devices-class-iii.html
3) Reuschlaw – Need for clinical trials in accordance with the MDR [Internet] 2021 – Available from: https://www.reuschlaw.de/en/news/need-for-clinical-trials-in-accordance-with-the-mdr/
4) Sato T, Ishimaru H, Takata T, Sasaki H, Shikano M. Application of Internet of Medical/Health Things to Decentralized Clinical Trials: Development Status and Regulatory Considerations. Frontiers in Medicine. 2022;9. doi: 10.3389/fmed.2022.903188
5) TaylorWessing – Medical devices in the UK – the data protection angle [Internet] 2020 – Available from: https://globaldatahub.taylorwessing.com/article/medical-devices-in-the-uk-the-data-protection-angle
6) Info Security Magazine – UK Introduces New Cybersecurity Legislation for IoT Devices [Internet] 2021 – Available from: https://www.infosecurity-magazine.com/news/uk-cybersecurity-legislation-iot/
7) Core to Cloud – New mandatory cybersecurity requirements for medical devices [Internet] 2021 – Available from: https://www.coretocloud.co.uk/new-mandatory-cybersecurity-requirements-for-medical-devices/
8) UK Government press release – UK to strengthen regulation of medical devices to protect patients [Internet] 2022 – Available from: https://www.gov.uk/government/news/uk-to-strengthen-regulation-of-medical-devices-to-protect-patients
9) Make UK – CE Marking vs UKCA Marking – What does it mean? [Internet] 2020 – Available from: https://www.makeuk.org/insights/blogs/ce-marking-vs-ukca-marking
10) EU Medical Device Regulation – ANNEX I – General safety and performance requirements [Internet] 2019 – Available from: https://www.medical-device-regulation.eu/2019/07/23/annex-i-general-safety-and-performance-requirements/