Regulation of Connected Medical Devices and IOmT

Collection and transmission of personal biologic and health information via IOmT connected medical devices requires regulatory oversight and has cybersecurity implications.

Connected medical devices (CMDs) can produce and transmitting patient data, allowing their condition to be monitored by healthcare professionals. They are often used in decentralised clinical trials (DCTs) outside of the clinical trial site, allowing for participants who wouldn’t usually be able to attend. CMDs have led to the Internet of Medical things, a connected network of systems and which produce, transmit and analyse patient data.

CMDs and IoMT have countless applications in the healthcare and medical technology (Medtech) industries, however these devices are susceptible to cyber-attacks and data leaks. These attacks include stealing and selling private patient data to third parties, denial of service (DOS) attacks, and altering medical data which can lead to improper diagnoses and treatments.

It has been suggested by multiple authors that CMDs and other wearable activity trackers are prone to cyber-attack is that data security and privacy issues are often not considered during their development (1). Regulations for the development of CMDs in the UK fall under two categories: regulations concerning medical devices in general, and regulations concerning IoMT including data protection and cybersecurity. Medtech companies must follow both types of regulations if they wish to sell CMDs in the UK and abroad. Here we discuss the current regulations for CMDs in the UK, how they may change in response to these security issues, and how this will impact clinical trials and the approval of CMDs.

Current Device Regulations

Regulations for medical devices in the UK need to be updated to better cover the risks associated with CMDs, as many of these devices can enter the UK market with little-to-no regulatory approval especially in terms of data security. Manufacturers currently need only a Conformité Européenne (CE) mark to be sold in the EU (1). With CE marking, devices are classified according to risk from lowest (Class I) to highest (Class III), with class I devices allowed to enter the market without prior data regarding their safety in the US, EU and Japan. Devices placed in class IIb or III must carry out an audit of the whole quality assurance system or undergo an “Annex III” examination which can include examination of each product/batch, audit of the final inspection, or an audit of the production quality assurance system (2). Clinical trials to evaluate the conformity of CMDs to medical device regulations will have at least one of the following aims: (a) to verify that under normal usage, the device achieves the performance intended by the manufacturer, (b) to establish its clinical benefit as specified by the manufacturer, and (c) to establish its clinical safety (3). Many wearable devices e.g. smartwatches and activity trackers can skip regulatory approval as they aren’t currently classed as CMDs, however to be utilised in DCTs, they will need to be approved as medical devices (4).

In the UK and EU, the General Data Protection Regulation (GDPR) covers the use of medical data, as well as the Data Protection Act 2018 (DPA) in the UK as of 1 January 2021 (5). These regulations prohibit the disclosure of private data to third parties without the patient’s consent and can only be used without consent in the case of direct care and healthcare quality improvement projects. On the 24th of November 2021, the UK government issued the Product Security and Telecommunications Infrastructure (PSTI) Bill to place increased cybersecurity standards on technology companies (6). Requirements of PSTI include banning default and weak passwords, investigation of compliance failures and being transparent about fixes to security issues, with hefty fines in place if these rules aren’t followed. These regulations will force Medtech companies to constantly update devices and software found to be at risk of cyber-attack, as well as keeping the public informed on the updates. In addition, NHS-contracted organisations need to follow the NHS Code of Confidentiality and Code of Practice (5). Medtech companies hoping to sell in the UK should ensure their device meets these NHS requirements, and the NHS Data Security and Protection Toolkit 2021 states that healthcare organisations must keep an inventory of CMDs in their network (7). While these regulations prevent CMD developers from directly releasing data to third parties, they will not prevent cyber-attacks.

On the 26th of June 2022, the UK Government had a press release in which they discussed future regulatory changes regarding CMDs and data security (8). As of the 30th of June 2023, CMDs will need to carry a UK Conformity Assessed (UKCA) marking to be sold in the UK instead of the current CE markings. The UKCA marking is not recognised by the EU market as it only complies to the UK Supply of Machinery (Safety) Regulations 2008 (9), meaning Medtech companies hoping to enter both markets will need to follow the regulations of both markings. In addition, the government intends to introduce pre-market regulations similar to the EU MDR General Safety and Performance Requirement (GSPR) 17.4 regarding cyber security for medical devices. Following this regulation, hardware, IT networks and security measures must meet minimum requirements including protection against unauthorised access needed to allow the software to run efficiently (10).

Potential future intersection between regulations for cybersecurity & medical devices.

Where regulation may fall short of innovation in the changing landscape and possible solutions

Currently, medical device regulations such as the Conformité Européenne (CE) and UKCA markings don’t intersect with cybersecurity and data protection regulations, meaning CMDs can currently be sold in the UK despite being susceptible to data leaks. There is no evidence to suggest that this will change soon, however possible future rules to combine these types of regulation may include classing data security as a component of patient safety in clinical trials. In addition, pre-market trials of CMD cybersecurity could be performed using simulated malware to test for vulnerabilities in CMDs, including software and AI networks (1). These regulations will force Medtech companies to consider the cybersecurity of their devices more strongly during the design and production stages of development, preventing cyber-attacks instead of retroactive changes following data leaks.

CMDs have revolutionised modern healthcare, however IoMT is still in its infancy and cybersecurity risks and subsequent regulatory changes are to be expected. These changes will likely stall the development and sale of CMDs due to increased care during development and stricter pre-market trials, however regulations are necessary to ensure patient data remains private for the safety and security of the public.

References:

1)     Hernández-Álvarez L, Bullón Pérez JJ, Batista FK, Queiruga-Dios A. Security Threats and Cryptographic Protocols for Medical Wearables. Mathematics. 2022 Mar 10;10(6):886. – Available from: https://doi.org/10.3390/math10060886

2)     CE Marking – Medical Devices Class III [Internet] 2021 – Available from: http://www.ce-marking.com/medical-devices-class-iii.html

3)     Reuschlaw – Need for clinical trials in accordance with the MDR [Internet] 2021 – Available from: https://www.reuschlaw.de/en/news/need-for-clinical-trials-in-accordance-with-the-mdr/

4)     Sato T, Ishimaru H, Takata T, Sasaki H, Shikano M. Application of Internet of Medical/Health Things to Decentralized Clinical Trials: Development Status and Regulatory Considerations. Frontiers in Medicine. 2022;9. doi: 10.3389/fmed.2022.903188

5)     TaylorWessing – Medical devices in the UK – the data protection angle [Internet] 2020 – Available from: https://globaldatahub.taylorwessing.com/article/medical-devices-in-the-uk-the-data-protection-angle

6)     Info Security Magazine – UK Introduces New Cybersecurity Legislation for IoT Devices [Internet] 2021 – Available from: https://www.infosecurity-magazine.com/news/uk-cybersecurity-legislation-iot/

7)     Core to Cloud – New mandatory cybersecurity requirements for medical devices [Internet] 2021 – Available from: https://www.coretocloud.co.uk/new-mandatory-cybersecurity-requirements-for-medical-devices/

8)     UK Government press release – UK to strengthen regulation of medical devices to protect patients [Internet] 2022 – Available from: https://www.gov.uk/government/news/uk-to-strengthen-regulation-of-medical-devices-to-protect-patients

9)     Make UK – CE Marking vs UKCA Marking – What does it mean? [Internet] 2020 – Available from: https://www.makeuk.org/insights/blogs/ce-marking-vs-ukca-marking

10)  EU Medical Device Regulation – ANNEX I – General safety and performance requirements [Internet] 2019 – Available from: https://www.medical-device-regulation.eu/2019/07/23/annex-i-general-safety-and-performance-requirements/

Cybersecurity Considerations for Connected Medical Devices and the “Internet of Medical Things”

Cybersecurity for IOmT connected medical devices.

Advancements in technology of the past few decades has led to the development of devices capable of connecting to one another via networks such as Wi-Fi and Bluetooth, allowing them to create, transmit and receive data between one another. Medical technology (Medtech) companies have utilised these features to develop connected medical devices. These devices can transmit patient data such as heart rate, blood glucose levels and sleep patterns, which can be monitored by healthcare professionals and clinical trials companies, allowing for accurate remote oversight of a patient’s condition for quick and accurate diagnoses and treatment from anywhere.

The existence of connected medical devices has led to the Internet of Medical Things (IoMT), the connected network of health systems and services able to produce, transmit and analyse clinical data, which is changing the shape of healthcare and clinical trials globally.

Despite the clear potential of IoMTs in the healthcare system, there are several factors affecting the development of connected medical devices and their uptake by the public. Worries regarding the security of their private clinical data in the light of cybersecurity attacks over the past decade, and subsequent data protection regulations put in place to prevent further leaks and their potential impact on future innovations in the medtech industry.

Connected Medical Devices and the Internet of Medical Things (IoMT)

There are over 500,000 connected medical devices (CMDs) currently on the market (1), which can be split into three key groups; stationary medical devices typically found in hospitals such as CT and MRI scanners, implanted medical devices such as pacemakers and defibrillators to monitor a patient’s condition more closely, and wearable medical devices such as smartwatches that track patient activity and insulin pumps (1). Many technology companies, including those which wouldn’t be classified as Medtech (Apple, Nike, Huawei) produce smart devices which produce data surrounding user activity such as exercise, heart rate and quality of sleep. In November 2021, the FDA authorised the first prescription-use VR system for chronic lower back pain, further highlighting the increasing opportunities for CMDs in healthcare (2). Artificial intelligence (AI) and machine learning (ML) algorithms can also be classed under CMDs, capable of automated learning using neural networks to search and analyse data much faster (3). These AI are commonly used to search for novel patterns in data, diagnoses and predicting outcomes, and optimising patient treatments and are commonly used in clinical trials (3).

These devices, the data they produce and the development of software capable of compiling and analysing this data has led to the creation of the Internet of Medical Things (IoMT), which has the potential to revolutionise healthcare (1). IoMT allows healthcare professionals to monitor patients in real time from anywhere, increasing the speed and accuracy of diagnoses and treatment. General uptake of IoMT in healthcare may improve disease and drug management, leading to better patient outcomes and decreased costs to healthcare providers.

Medical Devices and Clinical Trials

CMDs have allowed for hybrid and decentralised clinical trials (DCTs), in which trials take place remotely from patient’s homes and during their daily lives instead of on a trial site. The prevalence of DCTs have increased significantly since the start of the COVID-19 pandemic, in which patient access to clinical trials was reduced by 80% and monthly trial starts decreased by 50% (4).

DCTs allow patients to take part who would usually be unable to participate due to geographical or time limitations, while reducing time spent on-site. According to a study by CISCRP, 60% of patients see the location and time spent in a clinical site as important factors when considering clinical trials (5). CMDs can include telemedicines, smart phone apps and AI capable of analysing patient data. As a result of this, there has been ~34% annual compound growth of CMD use in clinical trials (6).These benefits are best portrayed by the significant growth in the IoMT market, which is expected to grow from ~$31 billion in 2021 to a predicted ~$188 billion in 2028 (7), with CMDs and wearable smart devices increasingly used in the home as well as healthcare institutions.

Cybersecurity Issues

Despite the advantages of the IoMT, the adoption of CMDs is hampered by concerns regarding the security of clinical data stored in the cloud, instead of traditional medical records stored on paper or in internal servers which are less susceptible to being leaked. IoMT devices are vulnerable to many types of attack which can interfere with patient monitoring and care. Examples of these include eavesdropping, in which an attacker gains access to private medical records which can then be used to unlock the CMD, gaining further access to unauthorised data and allowing them to tamper with private medical records (8). While the common aim of these attacks is to sell this data to a third party, attacks on IoMT devices could include changing medical data leading to improper diagnoses of patients, the prescription of medication leading to an allergic response, and inaccurate monitoring of medical conditions which would impact patient welfare and have potentially significant financial impacts (8).

There have been many instances of attacks on large technology companies in recent years. Fitbit, one of the largest producers of wearable activity tracking watches, has been revealed to be vulnerable to data leakage via network connection (9), and the Nike+ Fuelband is prone to attack due to its USB connector (10). Technology companies such as Huawei, Xiaomi and Jawbone have suffered data leaks (9).

These incidents have negatively impacted public trust in CMDs collecting medical data, with people typically not wishing to share medical information with non-NHS businesses for reasons other than direct care. While trust was shown to increase after a deliberative workshop, it remained low (<50%) (11). As shown here, public distrust towards CMDs amid cybersecurity scandals will halt the potential growth of IoMT and its applications in healthcare.

CMDs and IoMT provide a promising avenue for quick, efficient diagnoses and treatment of a variety of conditions and allow for DCTs which increases the number of willing participants and allows for remote accurate monitoring of conditions. However, cybersecurity issues halt the progress and uptake of CMDs due to public distrust and misuse of the technology by cyber attackers. Unfortunately, cybersecurity issues can typically only be addressed after the incident occurs, however updates to UK regulations regarding CMDs will help prevent future attacks and data leaks.

Cybersecurity breaches can have a variety of goals.

1)     Deloitte – Medtech and the Internet of Medical Things [Internet] 2018 – Available from: https://www2.deloitte.com/global/en/pages/life-sciences-and-healthcare/articles/medtech-internet-of-medical-things.html

2)     Sato T, Ishimaru H, Takata T, Sasaki H, Shikano M. Application of Internet of Medical/Health Things to Decentralized Clinical Trials: Development Status and Regulatory Considerations. Frontiers in Medicine. 2022;9. – Available from: https://doi.org/10.3389%2Ffmed.2022.903188

3)     Angus DC. Randomized clinical trials of artificial intelligence. Jama. 2020 Mar 17;323(11):1043-5. – Available from: doi:10.1001/jama.2020.1039

4)     McKinsey & Company – No place like home? Stepping up the decentralization of clinical trials [Internet] 2021 – Available from: https://www.mckinsey.com/industries/life-sciences/our-insights/no-place-like-home-stepping-up-the-decentralization-of-clinical-trials

5)     Anderson A, Borfitz D, Getz K. Global public attitudes about clinical research and patient experiences with clinical trials. JAMA Network Open. 2018 Oct 5;1(6):e182969-. Available from: doi:10.1001/jamanetworkopen.2018.2969

6)     Marra C, Chen JL, Coravos A, Stern AD. Quantifying the use of connected digital products in clinical research. NPJ digital medicine. 2020 Apr 3;3(1):1-5. – Available from: https://doi.org/10.1038/s41746-020-0259-x

7)     Fortune Business Insights – Internet of Medical Things (IoMT) Market [Internet] – Available from: https://www.fortunebusinessinsights.com/industry-reports/internet-of-medical-things-iomt-market-101844

8)     Hasan MK, Ghazal TM, Saeed RA, Pandey B, Gohel H, Eshmawi AA, Abdel‐Khalek S, Alkhassawneh HM. A review on security threats, vulnerabilities, and counter measures of 5G enabled Internet‐of‐Medical‐Things. IET Communications. 2022 Mar;16(5):421-32. – Available from: https://doi.org/10.1049/cmu2.12301

9)     Jiang D, Shi G. Research on data security and privacy protection of wearable equipment in healthcare. Journal of Healthcare Engineering. 2021 Feb 5;2021. – Available from: https://doi.org/10.1155/2021/6656204

10)  Arias O, Wurm J, Hoang K, Jin Y. Privacy and security in internet of things and wearable devices. IEEE Transactions on Multi-Scale Computing Systems. 2015 Nov 6;1(2):99-109. DOI: 10.1109/TMSCS.2015.2498605

11)  Chico V, Hunn A, Taylor M. Public views on sharing anonymised patient-level data where there is a mixed public and private benefit. NHS Health Research Authority, University of Sheffield School of Law. 2019 Sep. – Available from: https://s3.eu-west-2.amazonaws.com/www.hra.nhs.uk/media/documents/Sharing_anonymised_patient-level_data_where_there_is_a_mixed_public_and_privat_Pab71UW.pdf