Success-Plan Services
Darren Porras & Mike Kijewski
In today’s online world, cyber attacks are increasingly pervasive and disruptive to healthcare operations and patient care. And as MedTech devices continue to become more complex, connected and intelligent, the cybersecurity risks can rapidly increase. The number of real-world cyber attacks on healthcare organizations is surging, exploiting vulnerabilities in connected medical devices and networks and impacting patients and hospitals. In turn, the FDA and other regulatory agencies are raising the bar for regulatory submissions, as highlighted by the Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act).
In a recent podcast with RTI, Medcrypt CEO Mike Kijewski asserted that as many as 60-70% of device submissions are now experiencing delays due to cybersecurity deficiencies. Numbers like that illustrate the fact that cybersecurity is no longer considered an optional technical feature, but rather a safety and critical business requirement that affects market readiness, system availability, intellectual property, and product life cycle costs.
What does this mean for teams charged with making the digital transformation from siloed devices to interconnected ecosystems? First and foremost, it means that comprehensive security considerations need to be incorporated early in the product design. And ultimately, digital transformation emphasizes the need for a broad-based shift from patchwork security controls to secure product architectures.
Current Challenges in MedTech Cybersecurity
MedTech's cybersecurity challenges stem from the sector’s push towards smarter, integrated solutions that rely on the interoperability of diverse platforms and data sources that power real-time AI, robotics, sensing, and advanced imaging applications. The benefits of these integrations are driving innovation across the industry, with connectivity at the core. Unfortunately, this connectivity greatly increases the risk of intentional or unintentional cybersecurity-related failures.
At present, data flow may typically be distributed across a growing system of systems, with MedTech solutions becoming more complex, connected, and inherently less secure as a result. And there is a critical need to address these challenges. The goal is to accelerate the design and delivery of secure solutions that are not only innovative, but also scalable and adaptable to new technologies, platforms, use cases, and product capabilities.
Defining Connectivity and Its Implications
Connectivity in MedTech is more comprehensive than simply linking devices with wires and Wi-Fi. It encompasses the unique attributes of the data that need to be shared, distributed, and processed, with demanding requirements for performance, reliability, and security across applications and platforms. We therefore must consider the need for reliability, security, and latency beyond the capabilities of the network – not only to optimize latency and reliability, but also to truly enforce trusted access to data in motion. In addition, the components of the system must be authenticated for all endpoints. With this approach, security is not dependent on firewalls or network perimeters, but instead on a comprehensive and secure architecture that is based on zero-trust principles.
A key point to consider: devices that may have been historically deemed cyber-safe, “isolated” from the cloud, are now fully under regulatory scrutiny as cyber devices, capable of being connected and thus subject to vulnerabilities and threats that may originate from any device port or external systems.
Innovation and Security: Considerations for Scalable Development
From a CT scanner consisting of a system of systems to a telesurgical robot, data flows across internal and external interfaces in a growing digital ecosystem, with failure modes and cybersecurity risks that vary by use case and operational state of the system. Without a systematic analysis, design, and technology stack that supports a secure connectivity architecture, scalability can be challenging.
The reason? Deploying suboptimal patchwork security controls not only exposes an organization to significant safety and business risks, but can also be costly to develop and maintain. Worse, it often winds up imposing constraints on the end solution that limit performance, functionality, or both. Incorporating a secure-by-design product architecture helps ensure a scalable foundation to deliver a pipeline of innovative programs and products.
Advice for Industry Leaders
For leaders in the MedTech sector, embracing proactive cybersecurity measures is not only critical to ensure safe and effective products, but also provides a competitive advantage. Integrating cybersecurity at every stage of the product life cycle can effectively minimize emergent risks and improve development efficiency, while maximizing innovation.
Today’s leaders are increasingly focused on collaborating within the industry and leveraging state-of-the-art technologies that support best practices and evolving guidelines. By prioritizing cybersecurity from ideation through to implementation and release, companies can ensure they not only comply with regulatory requirements, but also drive meaningful progress in keeping operating costs low and system security high.
Looking Ahead: Predictions and Future Directions
The future of cybersecurity in MedTech is poised to become increasingly integral, parallel to foundational safety protocols in the industry. As threats evolve alongside technological advancements, companies must anticipate regulatory tightening, rigorous cybersecurity assessments from hospitals, and prepare for sophisticated cyber-attacks that could target infrastructural vulnerabilities. The need for secure interoperability of intelligent and connected systems must be addressed. The answer lies in applying secure-by-design principles and adopting a proactive rather than reactive approach to cybersecurity.
Medcrypt and RTI are both proud to play a pivotal role in supporting and shaping this future by providing essential resources and insights that empower industry participants to meet these challenges head-on.
For more information, please visit these links:
Leading the Digital Transformation in Connected, Intelligent MedTech
RTI Connext: Securing Connected Medical Devices
Meeting FDA Cybersecurity Requirements with Medcrypt Guardian & RTI Connext
Listen to the RTI and Medcrypt podcast on Spotify
About the authors:
Darren Porras is the Market Development Manager for Healthcare at RTI. Darren has over 20 years of experience in the medical device industry and product development. Prior to joining RTI, Darren was a program manager at Medtronic for Surgical Robotics. Darren has also held program management and software development roles at Philips and Integra Radionics spanning medical imaging, image-guided surgery, and cybersecurity.
Mike Kijewski is the CEO and Co‑Founder of Medcrypt, where he leads efforts to bring cybersecurity to medical devices with a “secure by design” philosophy. With a background in physics, software, and healthcare, Mike is passionate about the intersection of internet tech and patient safety. Under his leadership, Medcrypt has partnered with industry leaders to help device manufacturers innovate confidently while meeting regulatory demands.