The digital revolution has impacted the Internet of Things (IoT), the Internet of Medical Things (IoMT), and Software as Medical Devices (SaMD). In addition to this, it has even penetrated connected devices in hospitals and home healthcare environments. This revolution has also raised concerns about the phenomenon of medical device safety.
According to incomplete statistics, medical devices are increasingly becoming the target of malicious cyber attacks. This not only leads to data breaches but also increases the cost of healthcare delivery and ultimately affects the health status of patients.
In the EU, both the MDR and IVDR require consideration of medical device network security. And the Medical Device Coordination Group (MDCG) instructs manufacturers on how to meet all the relevant basic requirements of the MDR Annex I and IVDR on network security in its guidance.
In March, The Biden administration announced budget proposals that include increased investment in critical infrastructure network security. In response to this proposal, the FDA released a budget request highlighting their intent to improve medical device security. The FDA is requesting a total of $8.4 billion in the President’s FY 2023 budget. In addition to focusing on pandemic preparedness and food safety and nutrition modernization, the FDA plans to devote more resources to medical device safety. The FDA’s budget proposal allocates an additional $5 million in funding to improve the safety of medical devices.
“Developing a more comprehensive cybersecurity program for medical devices will help to identify and mitigate vulnerabilities that could compromise medical systems or disrupt device manufacturing or consumer use, placing national security at risk,” the proposal stated.
What problems may occur if there is a medical device safety defect?
Medical device safety is one of the biggest security challenges facing healthcare organizations today.
Today, security alerts about medical devices are increasing year by year. The existence of cybersecurity vulnerabilities in implanted medical devices like pacemakers, implantable atrial defibrillators, and implantable insulin pumps is no longer a topic to be avoided. In the survey report, researchers found that 75% of the 200,000 infusion pumps contained known security vulnerabilities. According to the annual list of medical device recalls issued by the FDA, we can find information about recalls related to Class I medical devices or Class II, III. These recalled products represent the possibility that they could cause serious health problems or even death.
Example 1. Medifusion 3500 and 4000 Syringe Infusion Pumps — Smith Medical 
In April 2022, Smith Medical sent a letter to customers to recall their Medfusion 3500 and 4000 Syringe Infusion Pumps. These two types of syringe infusion pumps are used to deliver fluids to patients at precisely controlled volumes. However, there are 8 software malfunctions affecting different serial numbers and software versions. These malfunctions may cause serious injury or death to patients from inadequate or excessive fluid infusion from a syringe infusion pump, or delayed delivery of critical medications. Smith Medical states that they have received eight reports related to these issues, including seven serious injuries and one death.
Example 2. CARESCAPE R860 Ventilator Backup Battery — GE Healthcare 
In April 2022, GE Healthcare recalled its CARESCAPE R860 ventilator backup battery (including replacement backups), manufactured on or after April 1, 2019. The reason is that the battery may run out before it is expected to run out. If the ventilator fails while powered through the backup battery, it may cause the patient to be deprived of oxygen and respiratory support and become hypoxic. If the patient is deprived of oxygen for a long time, it may cause serious physical injury or death.
Example 3. MiniMed Remote Controllers — Medtronic 
In October 2021, Medtronic started a recall of all MiniMed remote controllers used with the MiniMed Paradigm insulin pump or the MiniMed 508 insulin pump series. The recall is due to a potential cybersecurity hazard. If the remote controller ID is programmed into the pump, or if the easy bolus option has been programmed, it could be used by unauthorized persons in violation. These individuals can use the remote controller to instruct the insulin pump to deliver excess insulin to the patient, causing them to become hypoglycemic. Or stop delivering insulin, causing hyperglycemia or diabetic ketoacidosis, which can even cause death in severe cases.
As long as medical devices have software, they need to be vigilant because they can be subject to cyber security threats and attacks.
Why is it critical to verify a medical device is effective and safe?
1. What are the safety and effectiveness of medical devices?
In the document Essential Principles of Safety and Performance of Medical Devices and IVD Medical Devices of the International Forum of Medical Device Regulators, there are definitions of the safety and effectiveness of medical devices. The definition of safety in ISO/IEC Guide 51:2014 is “Freedom from unacceptable risk”; the definition of effective is “The ability of a medical device or IVD medical device to provide clinically significant results in a significant portion of the target population”.
In its regulation 21 CFR 860.7, the US FDA describes medical devices as “safe” and “effective” respectively as follows.
“There is reasonable assurance that a device is safe when it can be determined based on valid scientific evidence that the probable benefits to health from use of the device for its intended uses and conditions of use, when accompanied by adequate directions and warnings against unsafe use, outweigh the probable risks. ”
“There is reasonable assurance that a device is effective when it can be determined, based upon valid scientific evidence, that in a significant portion of the target population, the use of the device for its intended uses and conditions of use, when accompanied by adequate directions for use and warnings against unsafe use, will provide clinically significant results.”
The definition of safety is based on the acceptability of risk, and effectiveness is based on the acceptability of benefit. However, the acceptability of risk cannot be separated from benefit. And the acceptability of benefit cannot be separated from risk. There are many similarities between safety and effectiveness, and neither concept is absolute. As both of them are evaluated by the probability and importance of benefit or risk. Both can also be specified by the common elements of medical (clinical) problems, affected populations, and conditions of use.”
2. Why it is so important?
In many cases of medical data breaches, the problem is usually with the medical device. And cyber criminals often start by attacking medical devices.
Imagine if the medical devices connected to the network using a relatively simple gateway, the criminals would be extremely easy to break through. They can not only the data in the device but all connected devices.
With the examples above, we can clearly know that if we don’t ensure medical safety and effectiveness, there will be injuries or even death caused by medical device failure. Ensuring the safety and effectiveness of medical devices can protect people’s health and life safety. These are the missions and responsibilities of the companies for the development, production, operation, use and supervision, and management of medical devices.
The first article in Medical Device Supervision and Management Regulations states that: “This regulation is enacted to ensure the safety and effectiveness of medical devices, and to protect human health and life safety. In the regulations, “safe” appeared 26 times, “effective” appeared 25 times, “safe and effective” appeared a total of 17 times. This shows the importance of “safe and effective” for medical device products.
How to Ensure Medical Device Safety?
The safety and effectiveness of medical devices should be achieved through the development, production, operation, use, supervision, and management of its related subjects. The concept of medical device products is based on user needs.
During the whole life cycle through the design and development, registration, marketing, scale production, quality control, market feedback, renewal, and many other aspects, the manufacturer is the main body and the first responsible person to ensure the safety and effectiveness of its medical devices. Drug regulatory authorities are the main body to review, monitor, and manage the safety and effectiveness of medical devices. Operators and users (medical personnel and patients) are the practitioners of safe and effective medical devices. Safe and effective medical devices are achieved through a sound quality system including product design and development and risk management throughout the process. Throughout the risk management process, sufficient scientific evidence related to risks and benefits needs to be accumulated for the intended purposes and conditions of the use of the product. This is an internal guarantee of the medical device safety and effectiveness.
The medical device regulatory system is the external guarantee of the safety and effectiveness of medical devices.
Throughout the history of medical device development, even those leading multinational companies in Europe and the US have had major accidents involving product safety and effectiveness. The reasons for this are, firstly, the lack of concrete implementation of regulations and quality requirements in practice. And secondly, there are the existence of defects in new product designs, but they can not identify and avoid the corresponding risks in a timely and accurate manner.
With the rapid advancement of technology, medical device safety and effectiveness, especially those of innovative products, are facing new challenges. In response to these new challenges, medical device regulatory science has emerged.