MedTech regulations in medical device manufacturing: Navigating the top IoMT acronyms

This article is part two of our blog series on Connected Health and MedTech.

Do you find yourself being swept away in a sea of acronyms? Not to worry, we are here to help! The following segment is deliberately written far too densely but gives you a good idea at just how crazy the 2022 MedTech regulatory field is getting with their acronyms.

With the rise in connected health and utilization of SaMD or medical related activities taking place in the cloud, protecting the PHIs and PIIs of patients has become a priority. For an MDM producing a connected IoMT device for a HDO, you need to meet the requirements of the competent authorities. For the pre-market, in the US, follow the FDA’s 2022 premarket submissions guidance draft or in the EU, NBs will check your conformity to MDR 745/17 and IVDR 746/17.

For the post-market, apply PMS, adhere to the IMDRF TPLC guidelines, follow the 2022 PATCH act as well as the NTIA SBOM minimum requirements and utilize VEX to secure the future of your medical device. Don’t forget to ensure compliance with the documents from the ISO, NIS and MDCG. Consider making use of the HSCC’s MVCT to help get your device ready and on top of all that, grab your ticket for the latest H-ISAC, AAMI and HIMSS conferences.

Are you lost? We don’t blame you! Now, let’s break it down by addressing the why, the how and the where.

MedTech glossary including: SBOM; FDA; 2022 PATCH act; MDR; IVDR; TPLC; MDCG; IoMT; MDM; NTIA; VEX

This glossary includes the top MedTech acronyms.

Why is the 2022 cybersecurity PATCH act in healthcare a priority?

With the rise of Software as a Medical Device (SaMD) and network connectivity amongst medical devices, having a secure framework to protect against malicious intent is becoming very necessary. The Notified Bodies (NB) in the EU and the Food and Drug Administration (FDA) in the US are both responsible for the conformity assessment process of all medical and in vitro devices. The conformity assessment includes applicable standards supporting the development of secure devices.

The Protecting and Transforming Cyber Health Care (PATCH) act of 2022 for example, aims to provide safety assurance throughout the lifecycle of cyber devices both big and small. By making patching and updating of medical device software a priority, there can be a unified cybersecurity defense line across all devices and the older generation (legacy devices) will be more secured against vulnerabilities in the years to come.

The Internet of Medical Things (IoMT) connects all medical devices present on the same network, from diagnostic machines to monitors and everything in-between. As a patient, your Protected Health Information (PHI) as well as Personal Identifiable Information (PII) is transferred between Health Delivery Organizations (HDOs). As far as the safety of your medical data is concerned, it is in relatively safe hands as the information is usually on a standard web-encryption intranet.

When hackers are trying to break into a hospital network, they look for insecure devices and systems that can give them access to the network while they map it out. Many devices such as wireless infusion pumps, smart pens, implanted devices, and vital-sign monitors are already vulnerable to many exploits and can offer an easy path to the servers and systems where confidential patient records are stored. Generally, these systems have no cybersecurity protection.

How can you prepare for the pre-market medical device submissions?

For pre-market vulnerability management, the FDA has set out a list of requirements for Medical Device Manufacturers (MDMs) in their latest regulatory guidance draft released in April 2022, that MDMs must adhere to before their devices can be marketed.

The guidance draft recommends cybersecurity device designs, labeling and documentation prescribed by the FDA to accompany pre-market submissions for medical devices with cybersecurity risk.

Pushing cybersecurity to the forefront of medical device design is a complicated effort. To ease the implementation, the Health Sector Coordinating Council (HSCC) developed the MedTech Vulnerabilities Communication Toolkit (MVCT) to assist in disclosing any vulnerabilities present in medical devices for the pre-market preparations.

For the US manufacturers, following the PATCH act in addition to the FDA guidance draft helps with the implementation of critical cybersecurity defenses by allowing medical devices to be updated and patched in the future.

The European Union (EU) on the other hand, has replaced its previous directives for medical devices with updated documents, namely the Medical Device Regulation (MDR) and In Vitro Diagnostic Device Regulation (IVDR). Both are being progressively implemented with the final deadline being in May 2024. The aim is to ensure that all medical devices are fit for cybersecurity challenges and can also be patched for years to come.

While both the US and the EU have their own sets of regulations, medical device manufacturers also need to comply with international standards as they relate to the products they are developing as well. These are laid out by the International Organization for Standardization (ISO), the Medical Device Coordination Group (MDCG), the International Medical Device Regulators Forum (IMDRF) and the Network Information Systems Security (NIS) directive.

How do you prepare your medical device for post-market management?

Once the medical device has been shipped and set up in the field, the need to keep it secure continues.

From the medical device manufacturer’s perspective, preparing a Software Bill of Materials (SBOM) with the minimum requirements set by the National Telecommunications and Information Administration (NTIA), will help monitor for new vulnerabilities. The Vulnerability Exploitability Exchange (VEX) was designed to aid the communication of known vulnerabilities within the SBOMs and may be a useful addition. Ultimately, having a comprehensive patching strategy will ensure that devices are not left vulnerable in hostile environments.

Developing a cybersecurity plan, by applying Post Market Surveillance (PMS) for the Total Product Lifecycle (TPLC) and being vigilant with planned updates, patching and disclosing any vulnerabilities will also ensure the safety of your device in the future.

With thorough planning in both the pre- and post- market, future medical devices will be more secure and help in replacing the current legacy devices found throughout medical facilities.

Where can you learn more about MDR and MedTech?

Contact us and we can discuss your cybersecurity needs, as well as assess your implementation strategy for MDR. There are also several health information sharing and medical device advancement conferences that we attend every year, HIMSS, H-ISAC and AAMI to name a few, you can otherwise find us there!