Abstract
As medical devices become more integrated with wireless technologies, the risks of cyberattacks and data breaches increase, making stringent cybersecurity measures essential. The implementation of rigorous cybersecurity standards is essential for enhancing the cybersecurity of devices. This article examines the evolving cyber threats faced by the medical technology industry, the role of IEEE 2621 in providing comprehensive security benchmarks for medical devices, and the need for continuous risk assessments and adherence to regulatory standards to mitigate future cyber risks. Adherence to cybersecurity standards establishes ensures the effective protection of sensitive data and critical infrastructure.
Keywords: cybersecurity, medical devices, standards, cybercrime, diabetes technology, IEEE 2621
Introduction
The integration of wireless connectivity into medical devices, particularly those used in diabetes management, has transformed patient care but can also introduce cybersecurity risks. Many medical devices are now connected to the Internet of Things (IoT) sector including medical sensors and drug delivery systems. 1 Devices such as insulin pumps and continuous glucose monitors (CGMs) now connect to cloud platforms via technologies like Bluetooth, Wi-Fi, and near-field communication (NFC), allowing for real-time data transmission and remote monitoring. These devices collect and transmit sensor and effector data from the person to a central hub, by way of a handheld controller or smartphone. While this connectivity between the patient, the electronic health record, and clinicians enhances convenience and medical outcomes, it also exposes these devices to potential security breaches. 2 In recent years, the diabetes technology sector has faced several significant cyberattacks and data breaches, exposing vulnerabilities and emphasizing the urgent need for improved cybersecurity measures.
In 2016, a security flaw was identified in an insulin pump whose manufacturer later got out of the insulin pump business. 3 From 2019 to 2023, several major insulin pump manufacturers faced cybersecurity issues involving the exposure of sensitive patient information and vulnerabilities in device functionality, which prompted recalls and legal actions.4-8 In response to these breaches and potential vulnerabilities, the impacted companies worked with cybersecurity experts to investigate the breaches and enhance their security protocols. These incidents highlight the need for continuous assessment and improvement of cybersecurity measures within the diabetes technology industry.
Medical devices that once operated in isolation now interact with networks, increasing their vulnerability to cyberattacks while complicating the balance between easy access for patients/health care professionals and cybersecurity concerns. Ensuring the security of these devices requires not only the adoption of robust cybersecurity standards but also the creation of an ecosystem that brings together regulators, manufacturers, and cybersecurity experts to ensure the protection of patient data and device integrity. There is a need for conformance testing to determine whether a product truly serves its intended use and complies with technical standards and regulations. The U.S. Food and Drugs Administration (FDA)’s latest premarket guidance on medical device cybersecurity in 2023 underscores several areas of concern, including the necessity for robust risk management practices and the implementation of comprehensive security controls. 9 This guidance incorporates requirements of the Consolidated Appropriations Act, 2023, enacted on December 29, 2022, which included a relevant section (524b) called “Ensuring Cybersecurity of Medical Devices.” 10 The guidance aims to mitigate risks associated with interconnected medical devices, such as insulin pumps and CGMs, which can be exploited by malicious actors if not properly secured. The integration of comprehensive cyber standards, regular security audits, and adherence to regulatory guidelines are critical steps in mitigating the risks associated with cyberattacks in the health care industry.
In the following sections, we will explore three key aspects of medical device cybersecurity. First, we briefly discuss the history of cybersecurity standards that guide protections for connected devices. Second, we discuss a prominent cybersecurity standard for medical devices − IEEE 2621 − and its rigorous security benchmarks to prevent vulnerabilities to cyberattacks. We will outline IEEE’s certification programs, their guidance on how to develop a test plan for risk assessment, and their plan to deliver conformity assessment of medical devices in the face of cyber threats. Third, we conclude by assessing the future of medical device cybersecurity and its role in safeguarding patient data and device integrity.
Cybersecurity Standards
When it comes to information security, three core principles are used by organizations and businesses to implement information security policies. Confidentiality, integrity, and availability form the CIA triad, 11 which ultimately protects from unauthorized disclosure and modification and defends from loss of function (Figure 1). 12 Standards have been created to bridge the gap between the CIA triad and trust in a medical device. The foundation for stakeholders to have confidence in the security of secure diabetes devices was initially built by Diabetes Technology Society (DTS) which created both the DTS Cybersecurity Standard for Connected Diabetes Devices (DTSec) and the DTS Mobile Platform Controlling a Diabetes Device Security and Safety Standard (DTMoSt).13-15 Outlining recommendations both for mobile device sensors and effectors (such as controllers), these standards were created to pave the way for FDA-recognized cybersecurity standards. Since the creation of DTSec and DTMoSt in 2017 and 2018, respectively, the Institute of Electrical and Electronics Engineers (IEEE) Standards Association and Underwriters Laboratories (UL) together have created IEEE 2621, which is a consensus standard for diabetes device cybersecurity.
Figure 1.
Confidentiality, integrity, and availability form the CIA triad. Source: office of energy efficiency and renewable energy. 12
Why Do We Need Conformity Assessment?
Conformity assessment is a critical process to ensure that medical devices meet the stringent requirements set forth by standards like IEEE 2621. The need for conformity assessment arises from the increasing reliance on medical devices in health care and the growing complexity of these devices. With the advancement of technology, medical devices have become more sophisticated, integrating software and connectivity features that make them vulnerable to cyber threats. Ensuring that these devices are secure against anticipated levels of threats is important to protect patient safety and maintain the integrity of health care data. Conformity assessment is the process of verifying that a product meets specified requirements. Although all standards specify performance requirements, a standard with conformity assessment also requires assurance requirements. Conformity assessment typically consists of four steps: testing, inspection, certification, and accreditation. This process can be implemented by any of three parties (see Table 1). Conformity assessment of medical devices helps build confidence among manufacturers, regulators, health care professionals, and patients that the device has undergone rigorous evaluation and meets the required security benchmarks. to avoid potential harm to patients and breaches of sensitive health information. In addition, conformity assessment facilitates regulatory approval processes by providing documented evidence of compliance, thereby expediting the market entry of secure medical devices.
Table 1.
Three Types of Conformity Assessment.
First-party assessment | Self-declaration by a manufacturer or supplier |
Second-party assessment | Evaluation by a customer or interested party |
Third-party assessment | Independent certification by an accredited body |
How Does IEEE 2621 Deliver Conformity Assessment?
An external evaluation adds an additional layer of scrutiny, ensuring that the device’s security claims are substantiated. Based on IEEE 2621 code, there are three levels of rigor in a security evaluation: Basic, Enhanced Basic, and Moderate, which represent increasing levels of effort required to identify and exploit vulnerabilities. The levels of effort are based on the amount of time necessary to exploit a vulnerability, the amount of equipment needed, the amount of technical expertise needed, and the likelihood that a window of opportunity will be available. To document the minimum level of defined security, the IEEE 2621 conformity assessment program permits a manufacturer to conduct a self-assessment and seek accreditation by submitting appropriate documentation to IEEE. If the supporting documentation is satisfactory, then IEEE will issue a certificate at the lowest security assurance level (“Basic”). However, there is no requirement for a manufacturer to conduct a self-assessment. They can proceed directly to having their product independently evaluated by an IEEE Authorized Test Laboratory (ATL) to document by way of stringent evaluation processes that the device can protect against even more sophisticated attacks. Successful protection against increasingly comprehensive testing by an ATL enables a device to receive third-party documentation of a higher level of security. There are two possible levels of security assurance that the product can obtain by going this route. Based on the scope and depth of security testing by the ATL, the resulting assurance level can be defined as either Enhanced-Basic or as Moderate.
The responsibility lies with the manufacturer for identifying when changes to a device or its software may warrant re-evaluation and recertification. After a third-party evaluation by an ATL, if significant updates or modifications affecting the device’s security posture occur, then it is the manufacturer’s responsibility to notify IEEE and request a re-evaluation. Periodic reassessments by the manufacturer to ensure ongoing compliance with IEEE 2621 is particularly important as medical devices often receive updates and modifications that could affect their security posture. Regular reassessments help maintain the device’s security throughout its lifecycle, addressing new vulnerabilities that may arise.
Certification program from IEEE 2621 formalizes the conformity assessment process by providing specific criteria for certification (Table 2). During the certification process, manufacturers often learn how to make their devices more secure, and they can then be in a better position to demonstrate sound security when it is time to submit their specifications for regulatory approval. Devices that meet the IEEE 2621 criteria receive a certification mark, indicating their compliance with the standard. This certification mark can facilitate regulatory approval and instill confidence among health care professionals, patients, and payers, in the device’s security and safety.
Table 2.
Steps in Certification for IEEE 2621 by an Authorized Test Laboratory.
1 | Preassessment of the medical device by an IEEE-approved laboratory |
2 | Testing using IEEE 2621 Test Plan and Checklists that remove ambiguity from the process |
3 | Standardized reporting on testing results |
4 | An IEEE Certification Mark that helps manufacturers differentiate their products from competitors |
5 | Inclusion of certified products in the IEEE Medical Device Registry |
6 | Assistance with submission to regulatory bodies |
7 | Meeting FDA submission criteria |
Current and Future Scope of IEEE 2621
The IEEE 2621 cybersecurity standard was initially developed to address the cybersecurity needs of wireless-connected diabetes devices, assuming that each device is networked in some capacity, whether through direct internet connectivity or via Bluetooth to a connected device, such as a smartphone. Currently, the IEEE 2621 Standards and accompanying Test Plan form the foundation for the certification program targeting connected diabetes devices, ensuring their security and compliance with evolving cybersecurity requirements. However, the scope of IEEE 2621 is set to expand. The IEEE 2621 Certification Advisory Committee (CAC) has recently determined that the existing standards and test plan can and should be extended to cover a broader range of connected medical devices, such as cardiac pacemakers, neural stimulators, infusion pumps, respiratory devices, ventilators, and connected surgical systems. A pilot certification program is set to begin, marking the initial steps toward implementing testing and certification processes for these additional device categories. The CAC will assess the necessary adjustments to both the standards and the test plan for each newly included device type to appropriately address the specific risk profiles and security needs associated with different devices. Led by stakeholders within specialized subcommittees, this collaborative effort will guide the development of targeted amendments to the IEEE 2621 Standards and Test Plan. This expansion of scope will ensure that the certification program remains robust and adaptable as the medical device landscape continues to shift toward increasingly interconnected systems. Looking to the future, IEEE 2621 may expand to integrate emerging technologies such as artificial intelligence (AI), machine learning, and IoT in medical devices, align more closely with international standards for global interoperability and enhance alignment with regulatory guidelines, particularly those issued by the FDA.
Conclusion: What is the Future of Cybersecurity for Medical Devices?
Enhancing cybersecurity for medical devices demands not only the early adoption of standards but also a comprehensive, multidisciplinary approach. By establishing a robust security framework that balances the three core principles of confidentiality, integrity, and availability (the CIA triad), the medical device industry can encourage cross-domain collaboration among diverse experts, ultimately ensuring the protection of sensitive data and critical infrastructure. However, the responsibility for safeguarding these devices extends beyond manufacturers and developers. A cohesive and integrated ecosystem is essential, comprising regulators, certification bodies, testing organizations, solution providers, and manufacturers. The future of cybersecurity in medical devices will be positively shaped by proactive, collaborative, and innovative approaches, all working in tandem to safeguard patient data and maintain the reliability and safety of health care technologies. As cyber threats continue to grow in complexity, the medical device industry must stay ahead of potential risks by continuously refining its security measures, adapting to emerging risks, and adhering to best practices in cybersecurity. By building this ecosystem and fostering partnerships between stakeholders, the medical device sector can create a resilient foundation that protects patient safety and promotes trust in connected health technologies.
Acknowledgments
The authors thank Ron Starman for his helpful advice. The authors acknowledge Annamarie Sucher-Jones for her editorial expertise.
Footnotes
Abbreviations: ATL, authorized test laboratory; CAC, certification advisory committee; CIA, central intelligence agency; DT, diabetes technology society; DTMoSt, DTS mobile platform controlling a diabetes device security and safety standard; DTSec, DTS cybersecurity standard for connected diabetes devices; FDA, food and drug administration; IEEE, institute of electrical and electronics engineers; IoT, internet of things; NFC, near-field communication; UL, underwriters laboratories.
The author(s) declared the following potential conflicts of interest with respect to the research, authorship, and/or publication of this article: CNH and ATA are consultants for Liom. CSM is a current member of IEEE. DCK is a consultant for Afon, Embecta, Glucotrack, Lifecare, Novo, Samsung, Synchneuro, and Thirdwayv. The remaining authors have nothing to disclose.
Funding: The author(s) received no financial support for the research, authorship, and/or publication of this article.
ORCID iDs: Cindy N. Ho
https://orcid.org/0009-0008-3067-1004
Alessandra T. Ayers
https://orcid.org/0009-0000-3054-3207
Rachel E. Aaron
https://orcid.org/0009-0005-5120-2264
Tiffany Tian
https://orcid.org/0009-0003-1417-6445
David C. Klonoff
https://orcid.org/0000-0001-6394-6862
References
- 1. Farooq MS, Riaz S, Tehseen R, Farooq U, Saleem K. Role of Internet of things in diabetes healthcare: network infrastructure, taxonomy, challenges, and security model. Digit Health. 2023;9:20552076231179056. doi: 10.1177/20552076231179056. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2. Cartwright AJ. The elephant in the room: cybersecurity in healthcare. J Clin Monit Comput. 2023;37(5):1123-1132. doi: 10.1007/s10877-023-01013-5. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 3. CISA. Animas one touch ping insulin pump vulnerabilities. Published October 5, 2016. Accessed October 20, 2024. https://www.cisa.gov/news-events/ics-medical-advisories/icsma-16-279-01.
- 4. Machine Design. Alleged insulin pen data breach sounds alarm on data protection for patients. Published September 22, 2023. Accessed October 20, 2024. https://www.machinedesign.com/medical-design/article/21274224/alleged-insulin-pen-data-breach-sounds-alarm-on-data-protection-for-patients.
- 5. Klonoff D, Han J. The first recall of a diabetes device because of cybersecurity risks. J Diabetes Sci Technol. 2019;13(5):817-820. doi: 10.1177/1932296819865655. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 6. Tandem Diabetes Care. Tandem diabetes care announces security incident with five employee email accounts. Published March 16, 2020. Accessed October 20, 2024. https://investor.tandemdiabetes.com/news-releases/news-release-details/tandem-diabetes-care-announces-security-incident-five-employee.
- 7. Cybersecurity. FDA. Accessed October 20, 2024. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity
- 8. Jessica Hagen. Insulet reports data breach affecting 29,000 insulin pump users. Mobi Health News. Published January 24, 2023. Accessed October 20, 2024. https://www.mobihealthnews.com/news/insulet-reports-data-breach-affecting-29000-insulin-pump-users
- 9. Cybersecurity in Medical Devices. Quality system considerations and content of premarket submissions. Published September 2023. Accessed October 20, 2024. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
- 10. Consolidated Appropriations Act, 2023. Congress Gov. Published 2023. Accessed October 20, 2024. https://www.congress.gov/117/bills/hr2617/BILLS-117hr2617enr.pdf
- 11. Phoebe Fasulo. What is the CIA triad? definition, importance, & examples. SecurityScorecard. Published September 1, 2021. Accessed October 20, 2024. https://securityscorecard.com/blog/what-is-the-cia-triad/
- 12. Federal Energy Management Program. Operational technology cybersecurity for energy systems. Accessed October 20, 2024. https://www.energy.gov/femp/operational-technology-cybersecurity-energy-systems
- 13. Diabetes Technology Society. Cybersecurity standard for connected diabetes devices. Published May 23,2016. Accessed October 20, 2024. https://www.diabetestechnology.org/dtsec.shtml
- 14. Klonoff AN, Andy Lee WA, Xu NY, Nguyen KT, DuBord A, Kerr D. Six digital health technologies that will transform diabetes. J Diabetes Sci Technol. 2023;17(1):239-249. doi: 10.1177/19322968211043498. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 15. Diabetes Technology Society. Diabetes technology society mobile platform controlling a diabetes device security and safety standard. Published May 22, 2018. Accessed October 20, 2024. https://www.diabetestechnology.org/dtmost.shtml