Article

Reg-Med Tech Report: Emerging Digital Technologies in Patient Care

Dealing with Connected, Intelligent Medical Device Vulnerabilities and Failures in the Healthcare Sector

L I M

The REG-MEDTECH project published a report on 9 June 2023 entitled “Emerging Digital Technologies in Patient Care: Dealing with connected, intelligent medical device vulnerabilities and failures in the healthcare sector”. The report summarises findings from the workshop entitled Emerging Digital Technologies in Patient Care: Dealing with Connected, Intelligent Medical Device Vulnerabilities and Failures in the Healthcare Sector, held on 23 February 2023 at Goodenough College, London. The workshop was organised by members of the Reg-MedTech project1, funded by the PETRAS National Centre of Excellence in IoT Systems Cybersecurity (EPSRC grant number EP/S035362/1), in collaboration with project partners at the BSI, the UK’s National Standards Body.

Since October 2021, the Reg-MedTech project has investigated the extent to which current regulatory frameworks and standards address the critical cybersecurity, data governance, and algorithmic integrity risks posed by connected and intelligent medical devices. A critical finding from its ongoing research has been the need to develop standards, regulations, and policies that are better informed by the experiences of physicians, clinicians, and healthcare professionals dealing with software-based medical devices or software as a medical device (SaMD) in their day-to-day practice.

The workshop was attended by fifty-two participants, with representation from clinicians and healthcare professionals, public bodies including regulatory agencies, device manufacturers, legal and regulatory consultants, standards makers, and researchers.

Access the report “Emerging Digital Technologies in Patient Care: Dealing with connected, intelligent medical device vulnerabilities and failures in the healthcare sector” here.

Key Findings

The research team reports several priority areas that have been identified and discussed through the expert and practitioner elicitation sessions during the workshop:

  • Regular training for clinicians and healthcare professionals about recurring and new cybersecurity, data quality, and algorithmic trustworthiness issues in connected and intelligent medical devices. These issues include malware, exploits, and malicious attacks on hospital infrastructure and the IoMT, vulnerable and hackable implantables, and medical device software that could interfere with the decision-making of physicians, clinicians, and healthcare professionals in a non-transparent manner. In addition, participants identified the need for more procedural awareness of device maintenance and reporting of possible and recognised malfunctions in hospitals and other healthcare settings, including communications with the medical engineering teams inventorying medical devices and IT personnel in the hospital.
  • More post-market and lifecycle device management, maintenance, and support from the manufacturer. Participants highlighted the critical need to have more support for understanding connected and intelligent medical device behaviours throughout the device’s lifecycle – whether in use in hospitals or by patients – including more continuous monitoring of device performance once deployed in healthcare settings. Equally, physicians and healthcare professionals who interact with patients directly in the community – such as nurses or General Practitioners (GPs) in the UK – may need more information from manufacturers or application and digital platform owners about how medical devices such as implantables or medical apps are updated and supported throughout their lifecycle.
  • More transparent and synergetic communication between healthcare practitioners, manufacturers, and regulators about device performance and potential malfunctions. Device specifications and capabilities, and how they interact with the patient or, in the case of SaMDs, the decisions made by practitioners in healthcare settings are not always straightforward. Often, clinicians or healthcare practitioners need to provide urgent care without knowing how implantables might interact with a patient’s biological response, or how the devices they use in a hospital setting may perform if compromised or potentially compromised. Participants highlighted the critical need to have more regular communication and feedback between professional users (e.g. clinicians), end users (e.g. patients), and manufacturers to ensure all parties are kept informed of the intended use, the anticipated behaviour, and on-theground performance of new digital devices.
  • Responsibility and professional liability concerns. Participants highlighted the difficulty in identifying the extent to which their clinical and professional decision-making could be affected by hacked systems or malfunctioning/potentially malfunctioning devices. The line between product and professional liability has become thinner as a result of interactions with new software-based medical devices or SaMDs, especially AI as a Medical Device (AIaMD). The connectivity expected in hospital and healthcare settings, including the reliance on electronic medical records and cloud storage of patient records, were identified as critical vulnerability points and requiring more system resilience for the provision of reliable patient care.

Please cite this report as:

Brass, I., Straw, I., Mkwashi, A., Charles, I., Soares, A., Steer, C. (2023) Emerging Digital Technologies in Patient Care: Dealing with connected, intelligent medical device vulnerabilities and failures in the healthcare sector. Workshop Report. London: PETRAS National Centre of Excellence in IoT Systems Cybersecurity. DOI: 10.5281/zenodo.8011139