By Jonathan Nguyen-Duy, VP of Strategic Programs, Fortinet
Twitter: @Fortinet
At HIMSS18: Visit Fortinet, Inc. at #HIMSS18 in Booth 3210 this year in Las Vegas.
Healthcare has long been a regulated space due to the sensitive personal information collected and stored. Top of mind when thinking of healthcare regulations is HIPAA, which provides comprehensive and mandatory standards for ensuring the security and privacy of protected health information (PHI). Noncompliance can result in heavy fines, as well reputational damage.
Therefore, compliance with regulations like HIPAA will always be a priority when it comes to healthcare IT infrastructure. This attention to regulations and healthcare IT guidelines will become increasingly important as new digital healthcare products, especially those within the Internet of Medical Things (IoMT), proliferate and gain widespread use. This is because in addition to protecting data and PHI, should connected IoMT devices, especially wearables, be hacked or knocked offline, it can put patient’s lives at risk.
Growth of Digital Healthcare
Connected medical devices have become an integral part of patient care as patients take a more active role in their health. Consumers expect to have access to their medical information and receive and track treatment remotely. This has led to a boom in the connected medical devices industry, with an estimated seven million patients using connected devices as a core part of their care. While this is positive for patient care as a whole, it also introduces increased cyber risks, as many medical devices are not designed with security in mind at the start.
With this increase in digital care will come an increase in regulations in the near future to secure against various cyberattacks. Digital capabilities in healthcare have been evolving and innovating at such a fast pace that regulatory bodies have not yet caught up with a complete set of device security rules. For example, the FDA acknowledges the positive role digital healthcare is playing in the lives of many patients and the responsibility they have to regulate without inhibiting positive innovation.
Recent Developments in Healthcare Regulations and Guidelines
As routine standards for the securing and regulating of digital health products continue to be established, here are some of the most recent developments in healthcare regulations that healthcare solution providers must be aware of.
The Internet of Medical Things Resilience Partnership Act (2017)
This act was recently introduced by two members of the U.S. House of Representatives to establish a set of centralized guidelines for digital health solutions providers to ensure cybersecurity is integral throughout the product development process. This bill calls upon leaders from the FDA and NIST (National Institute of Standards and Technology) to build a team of healthcare and security professionals drawn from the public and private sectors to consolidate known cybersecurity best practices into one centralized frame of reference, as well as to identify gaps in security processes that need to be addressed. While adherence to these guidelines is voluntary for healthcare solution providers, doing so will likely benefit them in the long term as more stringent regulations are introduced.
The Medical Device Cybersecurity Act of 2017
This bill recently introduced to the United States Senate aims to secure PHI stored on connected medical devices by increasing the level of security manufacturers incorporate within connected devices. In addition, the bill aims to improve remote access controls for devices outside of medical facilities. It will establish a cyber report card in which manufacturers will have to indicate the results of a cyber threat assessment done on the device, whether the device can be accessed remotely, and more – this report card must be updated and submitted annually as long as the device is supported by the manufacturer. This bill also requires that medical devices be tested before being sold in the U.S. market.
Recent FDA Guidelines
The FDA has recently released three sets of guidelines to clarify which medical devices are to be subject to their regulations and which medical devices are not, in an attempt to secure patient data without curbing innovation. These guidelines follow the enactment of the 21st Century Cures Act in 2016, which implemented changes to which drugs and devices must be approved by the FDA, or the degree to which they need oversite.
These guidelines include:
- Clinical and Patient Decision Support Software
This document from the FDA clarifies the level of regulation needed on clinical decision support software (CDS), which helps patients select the most appropriate treatment plan for their needs. Under this guidance, many CDS manufacturers that require physician review are no longer subject to FDA regulations. However, those that process medical data still require oversight. - Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act
This document issued by the FDA outlines software products that are no longer considered medical devices and therefore are not subject to regulations outlined by the FDA. Generally, this applies to low-risk health lifestyle applications. - Software as a Medical Device: Clinical Evaluation
These guidelines approach the cybersecurity of software as a medical device (SaMD) from an international perspective. This document provides global principles for the assessment and securing of SaMD based on the requirements of many different individual countries.
Outside of these recently issued guidelines, the FDA also has various pre-market and post-market requirements for medical devices based upon their level of risk. Healthcare manufacturers have to classify their medical devices accordingly.
Final Thoughts
Government regulators are currently finding a balance between encouraging the health benefits brought on by digital innovation and attempting to minimize the cyber risks posed to patients. As IoMT-connected devices continue to grow in use, these regulations are likely to change. It will be important for healthcare solution providers, as well as the healthcare providers that purchase and use these products, to stay aware and become involved in the development of these rules and adopt security controls that will keep them in compliance.