The Internet of Medical Things (IoMT)

Medical devices must comply with the regulations and guidelines described above, as well as a thicket of national and international regulations, standards and other guidelines to be certified as safe for use in the management of human health. When these devices gain an Internet connection and become part of ‘the Internet of Medical Things (IoMT)’, the concerns multiply. They include:

• Cybersecurity risks, such as hacking, which could change the device’s functionality, endangering patients’ lives, or subject their most sensitive data to misuse.
• Patient safety, for example by making an IoMT device less resilient because part of its functionality has been passed to cloud services whose accessibility is subject to the reliability of a network connection.
• Regulatory compliance, including full adherence to multiple standards that may be evolving, as well as the costs and complexity of achieving full validation and verification.
• Interoperability issues, such as integrating with arbitrary existing healthcare systems and other medical devices to achieve easy data exchange.
• Data management issues that are common in many other IoT contexts, but with the added challenge of handling large volumes of ultrasensitive personal health data.
• Enhanced product liability issues for medical device makers, caused by the additional complexity brought on by adding Internet connectivity to medical devices.
• Maintenance and software update issues, which present a particular challenge for devices that are in daily use.

Medical device makers already must comply with multiple standards, and slightly differently drawn regulations in different countries and regions. Here are some which are relevant to IoMT devices and deployments.

European Union (EU)

Medical Device Regulation 2017/745

• Governs the safety and performance of medical devices in the EU. Annex 1 of the regulation, on general safety and performance requirements, focuses on reducing patient risk. It says in part: “Risk control measures adopted by manufacturers for the design and manufacture of the devices shall conform to safety principles, taking account of the generally acknowledged state of the art.” [Author’s emphasis.]

It also suggests, in a section on ‘electronic programmable systems — devices that incorporate electronic programmable systems and software that are devices in themselves’, that “manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorized access, necessary to run the software as intended.”

In Vitro Diagnostic Regulation

• Regulates in vitro diagnostic devices within the EU. Borrows much of the language and intent of the Medical Device Regulation.

GDPR

• Comprehensive data protection and privacy regulation for all EU citizens.

NIS Directive

• Focuses on improving the cybersecurity of networks and information systems in the EU.

Radio Equipment Directive

• Standards for devices using radio frequencies in the EU.

United States (US)

Federal Food, Drug, and Cosmetic Act (FD&C Act)

• The main law under which the FDA regulates medical devices.

Food and Drug Administration (FDA) – Medical Device Cybersecurity Guidance

• Guidelines for ensuring cybersecurity in medical devices. Section 524B(a) of the FD&C Act says that IoMD developers need to give regulators information that shows that their device, among other requirements, ‘design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems.”

Health Insurance Portability and Accountability Act

• Establishes national standards for the protection of health information. Under its security standards for the protection of electronic protected health information, Section 164.312 of the Act’s technical safeguards says that entities must implement proper access controls, use encryption, run audit logs, have policies that stop health information from being altered or destroyed, have schemes for authenticating users, secure the health data when it is being transmitted, among other requirements. Although these regulations were enacted some years ago to cover large-scale health information systems, they apply to IoMT devices and ecosystems.

21st Century Cures Act

• Promotes the use of digital health technologies while ensuring safety.

CISA

• Facilitates cybersecurity threat information sharing between government and private sectors.

United Kingdom (UK)

UK Medical Devices Regulations (UK MDR 2002)

• Governs the regulation of medical devices in the UK, including adaptations post-Brexit.

DPA

• UK law that works alongside the GDPR to ensure data protection.

NIS Regulations

• Implements the EU’s NIS Directive in the UK, focusing on cybersecurity.

Radio Equipment Regulations 2017

• Governs the use of radio equipment in the UK, including connected medical devices.

International Medical Device Regulators Forum

• A consortium of medical device regulation bodies, which published “Principles and Practices for Medical Device Cybersecurity” in March 2020. Among the recommendations of its section on cybersecurity, the guide says designers should consider how communications between devices/systems will authenticate each other; whether encryption is required; and how unauthorized replay of previously transmitted commands or data will be prevented.

The best approach to authentication for IoMT devices and ecosystems appears to remain an open question. A 2022 paper entitled Authentication in the Internet of Medical Things: Taxonomy, Review, and Open Issues, by academics at King Abdulaziz University and King Khalid University in Saudi Arabia, published in Applied Science, conducted a systematic review of IoMT authentication schemes. The authors reviewed 118 published papers to understand the schemes available and to produce a taxonomy. They found that most schemes relied on a distributed authentication architecture and public key infrastructure, with hybrid cryptography becoming popular to overcome the shortcomings of a single cryptographic approach. They concluded by arguing that IoMT authentication schemes need to go beyond identifying IoMT entities to the system, to support mass scalability, and end-to-end, cross-layer, and cross-domain authentication.