Cybersecurity continues to gain attention as advancements in smart medical devices and platforms are made, and more providers opt for the use of connected medical devices. Beyond the technology itself, what makes the landscape more challenging to navigate is a multitude of guidelines, specifications, and standards set forth by various entities, including government, private, and hybrids of the two regarding cybersecurity practices for medical devices.
In addition to the U.S. regulatory landscape, there are also the international requirements, for example, Health Canada guidance on premarket requirements for medical device cybersecurity (2019), the Australia Therapeutic Goods Administration (TGA) medical device cybersecurity guidance for industry (2019), and the European Medical Devices Regulation (MDR) and In-vitro Diagnostic Medical Devices Regulation (IVDR).
It is important to note that both U.S. and international cyber security-specific requirements are in addition to other regulations dealing with protecting or processing of personal data stored in medical devices. For example, at the E.U. level, in addition to the MDR/IVDR regulations, the NIS Directive (E.U.) 2016/1148 and the General Data Protection Regulation (E.U.) 2016/679 (GDPR), and the E.U. Cybersecurity Act (Regulation (E.U.) 2019/881), are also relevant to medical devices.
The key U.S. federal agencies, the Food and Drug Administration (FDA), Office of the National Coordinator for Health I.T. (ONC), and the Federal Communications Commission (FCC), each have unique responsibilities in the health I.T. arena and are working together on strategies and recommendations for an appropriate, risk-based regulatory framework.