Cybersecurity has increasingly become a concern for Digital Therapeutics (DTx) developers and regulatory bodies. DTx are vulnerable to security threats, and breaches in security could cause harm up to and including life-threatening situations. Today, many governmental and regulatory bodies offer general security guidance, but this may change soon. Increasing requirements may affect the time and money DTx developers spend investing in security and the penalties for security compromises. DTx developers can prepare for tomorrow by implementing strong security practices today.
Current vs. future regulations
Regulatory bodies such as the United States Food and Drug Administration (FDA), United Kingdom Medicines and Healthcare products Regulatory Agency (MHRA), and the European Union Medical Device Coordination Group (MDCG) all have guidelines and recommendations for security for medical devices (including applicable DTx).
However, the number of security requirements may soon increase as security compromises become a more prominent concern. For example, though the FDA presents security breaches as a serious threat, they do not legislate measures such as premarket security audits. In the future, DTx developers may need to accommodate more security measures.
According to Nisarg Patel and Atul Butte’s recently published article in Nature, regulators are pushing for changes to increase security requirements.1 Patel and Butte’s insights on changing requirements refer primarily to the DTx market in the US but are easily translatable for DTx developers in the UK and EU. Regulatory advocates are pushing for the following:
- Public visibility: Include security reports in device summaries so patients, physicians, and payers can immediately identify products that have been proven secure.
- Mandatory audits: Require security audits to ensure products meet security best practices.
- Annual audits: Require annual audits so DTx developers can identify areas of weakness and catch evolving threats.
Requiring additional audits and more visibility could help protect DTx from security threats. DTx developers will need to adapt by including security in plans, trials, and assessments.
FDA tiers of risk
Currently, the FDA divides medical devices into two tiers of security risk: Higher Cybersecurity Risk (Tier 1) and Standard Cybersecurity Risk (Tier 2). Tier 1 devices can connect to another medical or non-medical product, a network, or the internet. Security breaches to Tier 1 devices could directly harm multiple patients. For example, the FDA would classify an insulin pump that connects with a home monitor and software programmers as a Tier 1 device.2
Tier 2 devices are not capable of connecting or having a breach like Tier 1 devices. An example of a Tier 2 device is a coronary atherectomy device that does not connect to outside networks. Although most DTx do not include implanted devices, their high degree of connectivity puts them at increased risk for security threats. If DTx are connected and capable of causing harm to many, they may fall under Tier 1.
The FDA requires DTx developers to determine their device’s risk and implement appropriate security measures. Then the FDA evaluates the resulting security report instead of independently evaluating the device’s security. Currently, the FDA does not require premarket security audits for medical devices or that developers include security reports in public-facing product summaries.
MHRA and EU guidance
Like the FDA, the MHRA and EU provide guidance for medical device security. The MHRA regulates medical devices in the UK. The UK’s National Health Service (NHS) Digital program works alongside the MHRA to help medical device developers with security. NHS Digital provides helpful security recommendations for reference.3
The EU’s Medical Device Coordination Group (MDCG) published guidance in 2019 on security for medical devices. The document calls special attention to where security and patient safety risks overlap. For example, weak security may allow device compromise and risk to patient safety. However, overly restrictive security may prevent patients from getting the help they need from professionals.4 MDCG recommends finding a balance between security and safety (Figure 1).
Regulatory bodies provide valuable insights
Prepare for additional security regulations by reviewing and applying current guidance. Regulatory bodies present an abundance of practical advice on how to prepare. Alongside preparation, remain mindful of the intended function of your DTx product. The goal is a secure yet functional therapy.
Create a cybersecurity strategy
Both NHS Digital and MCDG offer in-depth guidance on establishing robust security measures. NHS Digital has a 6-step mitigation plan to protect medical devices connected to clinical networks from security breaches. Although technically for clinical networks, NHS Digital’s plan includes information applicable to DTX. The plan covers everything from identifying weaknesses to preventing compromises, reducing the impact of potential compromises, and planning for periodic reviews.
MCDG guidelines cover everything from conducting risk assessments to configuring information technology architecture to managing risks across a product’s lifecycle. These guidelines offer comprehensive and practical steps to ensure the safety of devices and the patients who use them. Even DTx developers operating outside of the EU regulatory market would do well to review these guidelines before creating a security strategy.
Delivering a trustworthy device
The FDA criteria for a trustworthy device fit nicely in the niche between security and usability. Criteria are as follows:
- Secure from security intrusion and misuse
- Provide availability, reliability, and correct operation
- Perform intended purpose
- Adhere to security procedures
Trustworthy devices balance security, operability, function, and procedural adherence. DTx does well to document security measures. Documentation helps with approval or clearance from regulatory bodies and adds to provider, payer, and public confidence.
Creating secure DTx programs is becoming paramount for developers, and regulatory advocates are pushing for additional requirements to protect against breaches. DTx developers must invest in the time to create therapeutics that balance function with robust security.
1Patel NA, Butte AJ. Characteristics and challenges of the clinical pipeline of digital therapeutics. npj Digital Medicine (2020) 3:159 ; https://doi.org/10.1038/s41746-020-00370-8.
2Content of premarket submissions for management of cybersecurity in medical devices. US Department of Health and Human Services. https://www.fda.gov/media/119933/download. Issued October 18, 2018. Accessed September 22, 2021.
3Guidance on protecting medical devices. NHS Digital. https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/guidance-on-protecting-medical-devices. Last edited July 1, 2020. Accessed September 28, 2021.
4MDCG 2019-16 guidance on cybersecurity for medical devices. Medical Device Coordination Group. https://ec.europa.eu/docsroom/documents/41863. Published December 2019. Accessed September 28, 2021.