What Is a Medical Cyber Device?

What is a cyber device?

Section 524B(c) of the U.S. Food and Drug Administration’s (FDA’s) Food, Drug, and Cosmetic (FD&C) Act defines "cyber device" as a device that:

• Includes software validated, installed, or authorized by the sponsor as a device or in a device
• Has the ability to connect to the internet
• Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats¹

Figure 1.

So, cyber devices are physical systems made of hardware, software and data that connect to the Internet of Things (IoT). Nowadays, just about anything can be a cyber device thanks to the various types of sensors and software available and the ubiquity of the IoT (Figure 1). 

Why cyber?

Just because you can make a device cyber, should you? Many examples of the benefits of doing so exist, so let’s look at one that became critically useful during the COVID-19 pandemic: a ventilator.

A ventilator is a device that helps a person breathe when their body is too weak or infirm to do so on its own. On the mechanical side, the device works like healthy lungs to pull air in and push air out. It also has sensors that measure carbon dioxide levels in the body and the pH level of the blood, as well as proprioceptors that give detailed and continuous information about the position of the limbs and other body parts in space.

The ventilator becomes a medical cyber device when it sends information gathered by these sensors to a central processing center that makes decisions about strength, oxygenation level, etc., and responds with commands that alter the ventilator's operation. The ability to control ventilators remotely was critical during the pandemic because infected patients needed to be kept in strict isolation to stop the spread of the disease. A health practitioner could not have safely entered the room to adjust a traditional ventilator, so cyber ventilators played a crucial role.

Cyber-safe, -secure and -resilient

Medical cyber devices have made impressive contributions to medical care, but they have also introduced new vulnerabilities. If a medical cyber device is hacked by an unscrupulous third party, a patient could die. If a cyber device doesn’t correctly perform its intended function, a patient could worsen or die. If a cyber device stops working, a patient could die. So, maintaining the integrity of both the device and its network to protect from unintended or unauthorized access, change or disruption becomes a matter of life or death.

Figure 2.

A robust medical cyber device has the ability to:

• Guard against threats
• Eliminate threats when they occur
• Warn health practitioners in case of a threat
• Reduce patients’ susceptibility to harm from threats

How can this be achieved? Through threat modeling, developers can try to raise a device's sophistication by understanding the device and its connected systems’ susceptibilities to attack and how somebody might try to attack them. Anticipating threats to the physical device, its data and its network, and designing responses to the threats is a crucial step in the development of cyber devices.

If you’re thinking that the gamut of possible threats to any device is daunting, you are not wrong. Fortunately, that is why we have medical cyber device standards in place.

 Figure 3.

Because products must meet stringent certification standards to gain access to global markets, manufacturers must continuously address those standards starting in the earliest stages of design and development. Standards are developed and updated by groups of experts using the combined input of decades of technical expertise from scientists around the world. They outline the processes in which products are tested to help mitigate risk, injury or danger. Products that have been certified against standards can instill confidence in consumers, manufacturers and retailers that they will operate safely, correctly and effectively.