The Federal Drug Administration (FDA) created medical device cybersecurity standards with its new guidance published in 2023. The agency delivered explicit requirements and additional best practices within these new rules. One area of concentration was interoperability.
So, how does interoperability play into these new medical device cybersecurity standards?
The Role of Interoperability in Medical Device Cybersecurity
Interoperability within healthcare ecosystems has long been a need, ensuring that different software can exchange information. It’s also been an area of great complexity and concern. The FDA highlighted this area in its guidance.
They defined interoperability considerations as including the ability to interface between:
- Medical devices and accessories
- Functions identified in the Multiple Function Device Products
- General purpose platforms
- Other healthcare software systems (e.g., EHRs, medical imaging systems)
Simply put, medical devices must be able to interact with other applications. A key example would be transmitting information from the device to a patient’s electronic health record. This information is valuable for providers in developing care plans for patients.
Interoperability comes with many security issues, and medical device cybersecurity must consider that. Manufacturers must ensure interoperability is possible in the design of the devices but not allow it to become an exploitable weakness.
Medical devices cannot fully support patient care and outcomes in isolation.
Medical Device Cybersecurity Standards and Controls for Interoperability
The FDA urges medical device companies to implement controls to ensure products are cyber-secure. However, when considering controls, you also have to make sure they don’t cause issues with accessibility and usability.
One area to concentrate on is the technology that enables interoperability, including Bluetooth and network protocols. Heightening the security controls around these, which the organization delves into further in their interoperable recommendations. Interoperability considerations create a new subset of protocols focused on interoperability, including:
- Performing a risk analysis
- Extended or expanded testing
- Defining potential misuses and their impact on security
- Verification and validation controls required for integration
- Providing interoperability cybersecurity best practices for providers
These can all be a foundation and would likely be part of the FDA’s other medical device cybersecurity standards for monitoring, identifying, and addressing cyber risk.
What Other Risks Are Inherent with Interoperable Medical Devices?
Interoperable medical devices have many shades of risk. They are susceptible to breaches and unauthorized access like any system. What makes it even more concerning is that the other systems could be how hackers gain access. It’s not a closed system, so there must be emphasis on:
- Strong authentication protocols
- Encryption in all communication transmissions
Another potential issue is if a medical device receives the wrong data from another device. It could lead to providers making inaccurate diagnoses. It may also be considered a HIPAA violation. For this risk category, you must consider data privacy rules and how they impact interoperability.
Staying on Course: What to Do About Interoperability and Medical Devices
Interoperability is one element of the many things you, as a manufacturer, must consider in cybersecurity planning. It’s a critical part, as every medical device must connect to other systems. Those connections can occur within a provider network or at the patient’s residence, so you’re dealing with unknowns. You can be reasonably sure that provider networks are secure, but less so with patients.
This increased risk is something you must take into account when creating controls and guidance for the devices once they are in use.
How can you put devices in the best position to be interoperable and secure? Invest in assessments and medical device pen testing throughout the product lifecycle. This doesn’t end once it’s on the market.
It’s an ongoing process, and one that our team has substantial expertise. If you’re concerned about interoperability or any other FDA medical device cybersecurity standards, schedule a discovery session today.