Accepted for/Published in: Journal of Medical Internet Research
Date Submitted: Aug 18, 2024
Open Peer Review Period: Aug 18, 2024 - Sep 2, 2024
Date Accepted: Nov 13, 2024
(closed for review but you can still tweet)
Consideration of Cybersecurity in the Benefit-Risk Analysis of Medical Devices: A Scoping Review
ABSTRACT
Background:
The integration of connected medical devices (cMDs) in healthcare brings benefits but also introduces new, often challenging-to-assess risks related to cybersecurity, which have the potential to harm patients. Current regulations in the EU and US mandate the consideration of these risks in the benefit-risk analysis (BRA) required for medical device (MD) approval. This important step in the approval process weighs up all defined benefits of a device with its anticipated risks to ensure that the product provides a positive argument for use. However, there is limited guidance on how cybersecurity risks should be systematically evaluated and incorporated into the BRA.
Objective:
This scoping review aims to identify current legal frameworks, guidelines, and standards in the US and EU on how cybersecurity-related risks should be considered in the BRA of medical devices. Based on those documents, this review provides recommendations for manufacturers and regulators.
Methods:
This scoping review follows the PRISMA-ScR framework. A systematic literature search of three databases was conducted on July 3rd, 2024: FDA guidance, International Medical Device Regulators Forum (IMDRF), and Medical Device Coordination Group (MDCG). Search terms included ‘cybersecurity,’ ‘security,’ benefit/risk,’ ‘benefit-risk,’ and ‘risk-benefit.’ Additional references were identified via citation search and expert interviews. Inclusion criteria were met if a document was a guideline or standard in force that provided guidance on BRA or cybersecurity-related risks of medical devices. Documents were excluded when they did not describe MDs, when they were limited to a subclass of devices, when they were about in vitro diagnostic medical devices or investigational devices, and when the content of the source was insufficient to undertake a scientific analysis. Data was extracted and analysed using MAXQDA 2022, and findings were narratively summarised and visualised in figures and tables.
Results:
The search identified 41 documents, with 21 meeting the inclusion criteria. These documents included two regulations, four standards, five technical reports, and ten guidance documents. The review revealed that while cybersecurity risks are acknowledged, detailed methods for their integration into the BRA are lacking. Some standards and guidelines provide superficial examples of security BRAs, but a comprehensive and standardised approach remains absent.
Conclusions:
This review highlights a significant gap between the recognition of cybersecurity risks in cMDs and the guidance on their incorporation into the BRA. Standardised frameworks are needed to provide clear methods for evaluating cybersecurity-related risks and their impact on the safety and security of MDs. The recommendations proposed in this review aim to bridge this gap and support the development of more robust BRA practices that enhance patient safety and device effectiveness.
Citation
Request queued. Please wait while the file is being generated. It may take some time.
Copyright
© The authors. All rights reserved. This is a privileged document currently under peer-review/community review (or an accepted/rejected manuscript). Authors have provided JMIR Publications with an exclusive license to publish this preprint on it's website for review and ahead-of-print citation purposes only. While the final peer-reviewed paper may be licensed under a cc-by license on publication, at this stage authors and publisher expressively prohibit redistribution of this draft paper other than for review purposes.