Incorporating Privacy By Design & Security By Design Into Medtech Development

Digital technology — sensors and wearables, machine learning and artificial intelligence, connected medical devices,  Software as a Medical Device (SaMD) — is transforming healthcare. The number of users and consumers of digital health is ever-increasing due to the insatiable appetite for technological advancements that can bring better, cheaper care to patients everywhere.

The development and commercialization efforts, however, must address the equally growing desire for security and privacy. Medical device companies need to act now to demonstrate their products' cyber resilience and privacy capabilities, not simply to address the myriad of compliance and data privacy regulations but also to establish patient and caregiver confidence in their products. Demonstrating privacy and cybersecurity capability creates value for users and/or purchasers, bringing about market differentiation.

How should medical device companies go about designing and commercializing digital health-enabled products and software that offer privacy and cybersecurity capabilities?

The Relationship Between Privacy And Cybersecurity

First, it is important to understand that although cybersecurity and privacy are related, they are not equivalent. Recognizing the boundaries and overlap between privacy and cybersecurity is key to determining when existing cybersecurity may be applied to address privacy concerns and where there are gaps that need to be filled.

The National Institute of Standards and Technology (NIST) defines cybersecurity as “the prevention of damage to, unauthorized use of, exploitation of, and — if needed — the restoration of electronic information and communications systems … to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.” With effective cybersecurity:

• Information is not made available or disclosed to unauthorized individuals, entities, or processes.
• Data (both stored and in transit) is changed only in a specified and authorized manner.
• Digital health products/services perform their intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation.
• There is minimal disruption of access to or use of information.

By limiting access to data, a set of robust cybersecurity measures can also help protect privacy — or at least minimize the likelihood of personal data being compromised. However, privacy concerns can also arise from authorized processing of information about individuals. Privacy applies to the collection, control, protection, sharing, and use of information about individuals. Medical device privacy requirements should define the protection capabilities provided by the device, its performance and behavioral characteristics, and the objective evidence used to demonstrate that the device or software meets these requirements. As such, privacy by design can bring about:

• manageability that provides the capability for granular administration of user information, including alteration, deletion, and selective disclosure;
• dissociability that enables the processing of information without association to an individual or to the digital heath product or service; and
• predictability that enables reliable assumptions by individuals and its processing by an information system.

Implementing Security By Design

The cybersecurity landscape is continually evolving, requiring constant monitoring, and it cannot be managed informally or ad hoc. For a medical device to be cybersecure, it must be developed with cybersecurity in mind from the outset, irrespective of the development model, whether “waterfall,” Agile, or other iterative methodologies. Medical device cybersecurity requires formal, continuous processes to take suitable corrective and/or preventive actions because the potential harm to patients and users may include physical harm or incorrect diagnosis.

Cybersecurity must be built into the medical device, not bolted on afterward, and that mandates implementing “security by design” principles that include developing an understanding of cybersecurity vulnerabilities associated with the device. There are several known cybersecurity frameworks, such as the NIST Cybersecurity Framework, the Center for Internet Security’s Critical Controls (CIS), and ISO/IEC 27001 and 27002, that can be utilized to build a medical device cybersecurity program. There is no one right way to implement these principles; each organization will fine-tune, modify, and customize their medical device development process. Nonetheless, a great starting point would be the adoption or consideration of the SAFECode Fundamental Practices for Secure Software Development, which enable medical device companies to produce systems that are secure (or at least less likely to suffer) from attack from any cause.

Security by design further enhances the development and commercialization plan by establishing risk management strategies, application of standards, and cybersecurity penetration testing. Additional elements will need be considered, such as the environment in which the device or software is used (network connections, transmission or storing of data) and incorporating user experience (UX) and human factors engineering to create a product that is secure, intuitive, and easy to use. Also, to better monitor for vulnerabilities that will affect a given device or software, the manufacturer should maintain a software bill of materials (SBOM) to better assess risk should a vulnerability be discovered. One of the most impactful elements to be considered is the minimization of social engineering threats (like phishing) that rely on the art of user deception. Finally, you must take into account all the touchpoints and stakeholders in the product life cycle, including designers, manufacturers, suppliers, hospitals, healthcare professionals, patients, and others. Accurate and timely information is fundamental, since medical device cybersecurity can become a patient safety issue, in addition to a market adoption litmus test.

Implementing Privacy By Design

Privacy by design is about embracing privacy requirements throughout the development process, from the conception of a new device through detailed system design, implementation, and operation. Privacy protections must be core, organic functions, not added on after a design is complete. It is important to establish the product privacy life cycle, during which there should be no gaps in the protection of the data or in accountability for the data. The medical device developer should clearly establish responsibility for all privacy-related policies and procedures to assure users and patients alike that privacy-related business practices and technical controls are operating according to commitments and objectives. Moreover, it is vitally important to establish and proliferate redress mechanisms for the users and patients and, except where otherwise mandated by law, each user should be empowered with consent for the collection, use, or disclosure of their information.

Privacy by design incorporates seven key principles:

1. Proactive, not reactive; preventive, not remedial: Take a proactive approach, anticipating privacy risks and preventing privacy invasive events before they occur.
2. Privacy as a default setting: Automatically protect personal information in medical devices as the default. The medical device is to ensure that it only processes the data that is necessary to achieve its specific purpose and that personally identifiable information (PII) is protected during collection, storage, use, and transmission. In addition, patients and users need not take affirmative action to protect their PII.
3. Privacy embedded into design: Embed privacy protections into the design of any medical device, ensuring that privacy becomes one of its core functions.
4. Full functionality – positive-sum, not zero-sum: Incorporate all legitimate interests and objectives in a win-win manner, not through a zero-sum (either/or) approach. This will avoid unnecessary trade-offs, such as privacy versus security, demonstrating that it is possible to have both.
5. End-to-end security – full life cycle protection: Put in place strong security measures throughout the life cycle of the information involved. Process personal information securely and then destroy it securely when you no longer need it.
6. Visibility and transparency – keep it open: Ensure that the medical device operates according to the stated promises and objectives and is independently verifiable. Make users and patients fully aware of the personal information being collected and for what purpose.
7. Respect for user privacy – keep it user-centric: Keep the interest of individuals paramount in the design and implementation of any system or service. You can do this by offering strong privacy defaults and user-friendly options, as well as ensuring appropriate notice is given.

These principles are fundamental tenets that can guide a medical device privacy program, which an organization must translate into specific practices. You can pick from several pragmatic frameworks (NIST Privacy Framework, OECD Privacy Framework, ISO 27001/27701) or create your own systematic process with a risk-oriented focus whose goal is to translate the principles of privacy by design within the life cycle of medical device entrusted with personal data processing into practical and operational terms. The outcome will make privacy an integrated part of medical device design, such that privacy requirements are defined in terms of fully implementable properties and functionalities, and any privacy risk that is identified is managed in a proactive manner in order to render the medical device as privacy-friendly as possible.

Conclusion

Privacy and cybersecurity are still too often an afterthought to be incorporated into a medical device after its design is complete rather than being an integral part of the design process. Some users view strong security and privacy as an impediment to efficient and user-friendly operation of a medical device. Adopting privacy by design and security by design can provide safeguards to privacy and security while enabling a high degree of utility and usability, which in turn can increase consumer/user confidence and trust. Such trust has been shown to drive market differentiation and broader market selection of medical devices that offer cybersecurity and privacy capabilities.

References:

1. NIST 8062. An introduction to Privacy Engineering and Risk Management in Federal Systems (2017).
2. Information and Privacy Commissioner of Ontario (2009) Privacy by Design: The 7 Foundational Principles (https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf)

About The Author:

John Giantsidis is the president of CyberActa, Inc, a boutique consultancy empowering medical device, digital health, and pharmaceutical companies in their cybersecurity, privacy, data integrity, risk, SaMD regulatory compliance and commercialization endeavors. He is also a member of the Florida Bar’s Committee on Technology and a Cyber Aux with the U.S. Marine Corps. He holds a Bachelor of Science degree from Clark University, a Juris Doctor from the University of New Hampshire, and a Master of Engineering in Cybersecurity Policy and Compliance from The George Washington University. He can be reached at john.giantsidis@cyberacta.com.