Future regulatory framework for medical devices in the UK

With the connected revolution, the Internet of Things (IoT) is having an increasingly large part to play in healthcare.

The possibilities of new, evolving and interconnected medical devices know no bounds; but the implications of poor cyber security could have quite the impact, particularly if that security is overlooked or simply bolted on at the last minute.

As the UK Medicines and Healthcare products Regulatory Agency (MRHA) requests views on how medical devices could be regulated across the UK in the future, Stuart Kurutac, Senior Security Consultant at NCC Group shares thoughts on the key elements to consider.

"Data privacy is a major concern. Meanwhile, loss of life is a very real possibility if connected devices are not secure. We therefore welcome MHRA's intention to establish regulatory requirements relating to security measures and protection against unauthorised access for medical devices.

As well as being clear about what the requirements are and how they can be achieved, the MHRA should avoid adding any further fragmentation or complexity and utilise the wealth of established standards and frameworks already in existence, ensure alignment with other government department's efforts to secure connected products such as the Department for Digital, Culture, Media and Sport's (DCMS) 'Secure by Design' programme and focus on harmonising its frameworks with global practice.

Other stand out points that we recommend include:

• The importance of embedding a true understanding of the threat and risk landscape
  
  Developers and manufacturers should be required to embed a true understanding of threats and risks in their organisations and promote continuous mitigation throughout the product design, development, and post-market lifecycle, avoiding a 'tick-box' compliance approach. Thorough threat modelling and risk assessments are essential steps in the development process.
  
  Continuous post-market assurance should also be undertaken, including (but not limited to): security testing, both automated and manual, and in real-world connected healthcare settings; support for security patching; an up-to-date Software Bill of Materials (SBOM) allowing vendors to keep track of third-party software contained in their applications and devices; and, a responsible disclosure process.
  
  Manufacturers and developers should also be required to establish the links between technical risks and clinical risks, using standards such as DCB0129 and DCB0160, existing risk scoring tools and collaborating with Clinical Safety Officers. This will enable them to prioritise discovered vulnerabilities throughout the product lifecycle.
  
  
• The importance of building in flexibility and future-proofing from the outset
  
  This should include periodic reviews and regular engagement with industry- to accommodate future advancements. MHRA should also consider how it can support continuous security research and testing.
  
  More broadly, we note that there is a significant regulatory gap in the fast-evolving field of brain computer interfaces (BCI). There is a myriad of potential applications for BCIs in the health sector, including health monitoring, alleviating mental illness and easing physical disabilities. However, there are also significant security, safety and privacy concerns that need to be addressed before this emerging technology is adopted more broadly, and, at present, there is currently no regulation in the UK which does this, taking into account the specific challenges associated with BCIs.

Good, evidence-based and data-driven regulation can play a key role in ensuring the right steps are taken by manufacturers and developers to minimise risks and maximise cyber security."

Link to Consultation https://www.gov.uk/government/consultations/consultation-on-the-future-regulation-of-medical-devices-in-the-united-kingdom

Image: Shutterstock: Royalty-free stock photo ID: 572383276