How can we ensure medical devices are protected from cybersecurity vulnerabilities?

Chris Harvey, director of recall solutions, Stericycle, explains his thoughts on cybersecurity within the medical plastics industry.

As the medical plastics industry becomes increasingly digitalized with processes such as Artificial Intelligence (AI) and Industry 4.0, it is essential that manufacturers are able to implement these digital changes with sufficient security measures in place. For the benefit of both consumers and medical device manufacturers we’re hopeful companies will be able to do this, as if they cannot, the litigation and reputational losses could be substantial over the next decade.

Additionally, because this is a relatively new area for many medical plastics manufacturers, most are not yet equipped to implement the right security measures. However, I believe that they are aware of the issue and are moving quickly to correct any weaknesses in their systems. Given the size and importance of the industry, you can expect the companies to invest in the resources to make the necessary technological changes in processes and equipment.

In order to stay up to date with cybersecurity measures, first and foremost, manufacturers must accept the fact that cybersecurity is a battle with no end. The Food and Drug Administration (FDA) provides guidance and Memoranda of Understanding that can help guide the industry, but companies must not limit their understanding and security measures to what regulators recommend or require. Collaboration within the industry and across related industries is the best way to stay up to date with the latest risks and threats and take appropriate steps to protect against them.

Manufacturers need to be honest and forthcoming with patients when it comes to data security and privacy. In no other situation is this communication more important than when a vulnerability is identified, and a product needs to be recalled. In these cases, telling patients exactly what is at risk and what the company is doing to prevent such an incident in the future is paramount.

I believe regulations are only part of the solution, and it is important that manufacturers do not rely on regulatory agencies to be their sole source of information. We need to think about cybersecurity less in terms of regulatory compliance and more about entering a new battle every day. Cybersecurity is a moving target, and the fact is that we don’t know what the next big threat is – and neither do regulators. It’s a reality that makes it difficult for anyone to stay ahead of the curve. 

Product recalls have remained steady over recent quarters, with no real surprises about the cumulative impact of these events. But what was remarkable was that software issues were the top cause of medical device recalls, accounting for 46 recalls. When we really stop to think about what that means, we can’t help but realize the risks facing patients, doctors, and device companies who increasingly rely on AI and data collection to inform medical decisions and treatment options. If the software that is used to operate a device is inadequate, how can we be sure that it is protected from cybersecurity vulnerabilities? Add to that the fact that companies have only recently been laser-focused on mitigating cyber threats associated with medical devices. It's a recipe for disaster.