contact us

When IoT Security is a Matter of Life or Death

by Aug 22, 2018

When IoT Security is a Matter of Life or Death

In the IT security world, regulations have a tendency to add clarity to otherwise obscure risks. While it may be impossible to quantify or even scope the risk of hacked devices, a regulation, with its fines and penalties, makes risk concrete. Freeing up budget for risk mitigation is much more straightforward when the risk is quantified very simply as a fine for non-compliance, rather than having to guess at the eventual fallout from having to engage in a recall, face public scrutiny, or repair a brand’s reputation.

Only with medical devices does the conversation around the security of the Internet of Things (IoT) involve life and death. From pacemakers vulnerable to wireless hacking to insulin pumps, devices have been deployed with little thought to threat vectors or defenses.

While in the US, we rely on the FDA to come up with at least guidance on medical device safety; regulators in the EU recognize the importance of controlling medical device proliferation and have enacted a broad set of requirements for tracking medical device development and deployment.

On April 5, 2017, two new regulations on medical devices were adopted by the European Commission, replacing and updating the current regulations.

The new rules will only apply three years after entry into force for the regulation on medical devices (Spring 2020) and five years after entry into force (Spring 2022) for the regulation on in vitro diagnostic medical devices.

The new regulations contain a series of extremely important improvements to modernize the current system. Among them are:

  • A new pre-market scrutiny mechanism with the involvement of a pool of experts at EU level high-risk devices;
  • the reinforcement of the criteria for designation and processes for oversight of Notified Bodies;
  • the inclusion of certain aesthetic devices which present the same characteristics and risk profile as analogous medical devices under the scope of these regulations;
  • the introduction of a new risk classification system for in vitro diagnostic medical devices in line with international guidance;
  • improved transparency through the establishment of a comprehensive EU database on medical devices and of a device
  • traceability system based on Unique Device Identification;
  • the introduction of an “implant card” containing information about implanted medical devices for a patient;
  • the reinforcement of the rules on clinical evidence, including an EU-wide coordinated procedure for authorization of multi-center clinical investigations
  • the strengthening of post-market surveillance requirements for manufacturers; and
  • improved coordination mechanisms between EU countries in the fields of vigilance and market surveillance.

After the recent demonstration that the UK National Health Service is extremely vulnerable to attacks against unpatched versions of Windows dating back more than a decade, there is some doubt that the industry is going to be able to adapt to these new regulations. A three year grace period seems like a lot of time. But note that organizations have less than five months to become compliant with the EU General Data Protection Regulation (GDPR), the mother of all Data Protection Regulations, yet most are woefully unprepared.

As we have seen with GDPR, EU regulations have a global impact. Most device manufacturers have a presence in or sell in Europe. So, while it is inevitable that the FDA will impose new regulations on device security, it is more than likely that compliance with these EU regulations will pre-date them. So, keep an eye on Europe if you are developing medical devices.