Mention “cybersecurity” and “medical device,” and you’ll probably think of stolen patient data rather than hackers taking remote control of an implanted device. Losing control of patient data carries lasting effects and is perhaps the most serious non-clinical risk on the minds of most manufacturers of smart medical devices. Cybersecurity for digital therapeutics (DTx) follows the same logic, focusing on the more risky scenarios such as data security. The complete picture of DTx cybersecurity includes a longer, better-informed set of risks and mitigating factors. That list takes its cues from medical device manufacturers but must also follow the native logic of software development.
DTx represents an emerging field of software-driven, evidence-based products intended to “prevent, manage, or treat a medical disease or disorder.” Cybersecurity is a concern for DTx, whether they are being evaluated through clinical research or are aiming at market release. In this series of articles, we’ll walk through the cybersecurity threats and opportunities for DTx, we’ll take a closer look at how data flow affects data stewardship, and ask who are the responsible parties when it comes to cybersecurity in the data flow. Finally, we’ll look at the current cybersecurity regulations (hint: there aren’t many) and talk about preparing for regulations that are being proposed by the European Medicines Agency (EMA) in the European Union, the Food and Drug Administration (FDA) in the United States, the Medicines & Healthcare products
Regulatory Agency (MHRA) in the United Kingdom, and other national regulatory bodies.
Cybersecurity and Digital Therapeutics Defined
Cybersecurity is a range of topics around “protecting networks, devices, and data from unauthorized access or criminal use.” It includes assessing risks and vulnerabilities, along with designing protections from hacking. Setting a high bar for cybersecurity is in the interest of manufacturers, clinicians, patients, and clinical trial participants, to help ensure widespread adoption of DTx as these products and therapies mature in the market.
Digital Therapeutics differs from the range of apps we routinely run on our mobile devices. DTx may share the ease-of-use and (hopefully) intuitive user interfaces we expect, but are available only with a prescription and are regulated by national regulatory bodies. Wellness apps that do not carry claims about disease outcomes are not regulated.
DTx typically has been through rigorous testing, including having met specified endpoints in clinical trials, and more frequently, has completed randomized clinical trials before being released for use in a marketplace. Patel and Butte succinctly show what is at stake with DTx cybersecurity:
Considerations of cybersecurity and data rights are preconditions for the mass adoption of DTx. Similar to prior work regarding connected sensors in medicine, as DTx transfers information over the internet, risks of unauthorized access and manipulation of these products and underlying data could compromise both trust in the product and patient care.
And while DTx are distinct from medical devices, their cybersecurity requirements are primarily a reflection (for the moment) of regulations from the medical device world.
Risks & Vulnerabilities
Good data stewardship practices will depend on how data flows and where it is stored. Vulnerable data flow points include those open channels that move data from the mobile device to a website or cloud storage. For instance, leaving “Location” on when following directions using Google Maps transmits location information that risks being collected by those other than Google. Other downloaded apps also create risks and vulnerabilities by allowing access and creating signal conduits for the data flow that could be compromised.
Threats to DTx include data theft, identity disclosure, illegal access to the data, corruption of data, loss of data, violation of data protection, among others. These risks can occur at various points along the path of data movement from user to data storage. No data storage institution is immune from compromise. In subsequent articles, we will go into more detail about specific risks to assess in the flow of data.
Risk mitigation must also consider users of the data: physicians, patients, trial participants, various clinicians with access, and other third parties with a justified interest. Risk mitigation includes encryption protocols and the ability to control data access and data integrity at all times.
DTx tend to be more relevant to cybersecurity than traditional medical devices. Pacemakers or insulin pumps are manufactured according to strict protocols by a handful of regulated manufacturing partners. Typically, their communication and system updates also adhere to exacting standards. DTx, on the other hand, rely on third-party software, from operating systems (Android or iOS) to communication networks adhering to a variety of safety standards, some of which may be less rigorous than demanded by specific medical device standards.
From Wellness App to DTx
If a wellness app team intends to develop DTx, assessing cybersecurity risks and vulnerabilities takes on a renewed importance since DTx make use of protected health information while wellness apps do not. Pivoting toward a DTx offering involves asking key cybersecurity questions, as submission to a regulating body like the FDA will include a thorough cybersecurity evaluation. The range of questions is rigorous enough to consider hiring a Chief Information Security Officer (CISO) to dive deep into the needed risk assessments. Risk assessment for the wellness-turned-DTx team would focus on where the protected data resides, moves, and how to protect that data at all points. This sophisticated set of questions and answers involves a serious, ongoing effort.
Preparing to meet DTx cybersecurity threats and regulations is an opportunity to take another look at DTx development. FDA guidance encourages device manufacturers to assess the level of cybersecurity risk their products might carry and meet those risks with designed-in controls that minimize the risk. The FDA guidance has four aims:
- Employ a risk-based approach to the design and development of medical devices with appropriate cybersecurity protections.
- Take a holistic approach to device cybersecurity by assessing risks and mitigations throughout the product’s lifecycle.
- Ensure maintenance and continuity of critical device safety and essential performance.
- Promote the development of trustworthy devices to help ensure the continued safety and effectiveness of the devices.
Though this guidance has not proceeded to become regulation, it is de facto industry standard. ISO 14971 outlines the parameters around assigning criteria for assessing risk for medical devices and benefits DTx manufacturers looking for risks and vulnerabilities.
Assessing cybersecurity risks and vulnerabilities will play a role in readying a DTx product for widespread adoption. DTx companies will need a thorough assessment of data capture and data flow to ensure the strictest cybersecurity protocols.
Patel, NA, Butte AJ. Characteristics and challenges of the clinical pipeline of digital therapeutics. npj Digital Medicine (2020) 3:159 ; https://doi.org/10.1038/s41746-020-00370-8. 2
Casalicchio E, Filetti S, Grigolo D, Mancini LV, Mei A, Pagnotta G, Ravizza A, Spognardi A, Stefanelli S. “Data protection and cybersecurity in digital therapeutics.” Tendenze: Special Issue 4/2021. 64.