Although cyber threats are nothing new to the healthcare industry, the rise of 3D printing in the medical industry presents unique cybersecurity challenges for medical device manufacturers and hospitals. In July 2016, researchers at the New York University (NYU) Tandon School of Engineering found that 3D printing poses cybersecurity risks in the manufacturing process that could affect the reliability of the end product. The study found that a hacker could potentially alter the printer head orientation without detection, affecting the strength of the device by as much as 25 percent. Alternatively, a hacker could manipulate a 3D printer while it is connected to the internet to introduce internal defects as the device is being printed.
Although 3D printing offers many manufacturing benefits by making it possible to print customized devices on demand offering better fit and greater comfort for patients, the digital transmission of design files makes it more challenging to ensure sensitive confidential patient information is protected. Confidential patient information contained within patient imaging (e.g., computed tomography (CT) or magnetic resonance (MR) imaging) is vulnerable to being compromised or stolen in the digital transmission process. Mishandling HIPAA-protected information carries heavy penalties and has resulted in more than $9 million in fines in 2016, according to the U.S. Department of Health & Human Services.
The FDA has acknowledged the need for effective cybersecurity measures to ensure the safety and efficacy of medical devices and protect patient health. In January 2016, the FDA issued a guidance entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The guidance, although not specific to 3D printed devices, sets forth recommendations for manufacturers to develop cybersecurity controls during the design and development stages of a medical device as well as in preparing FDA premarket submissions for software and devices using software. The FDA urges manufacturers to establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis required by 21 C.F.R. part 820.30(g) governing design validation. The FDA also recommends that device manufacturers adopt security measures to protect medical devices including, but not limited to, limiting access to devices to trusted users only and ensuring trusted content.
While the FDA recommends the use of design controls to assure medical devices will maintain their integrity from the point of origin to the point at which the device leaves the control of the manufacturer, 3D printing raises the question, "When is a device considered to have a left a manufacturer's control?" Unlike traditionally-manufactured medical devices that get physically shipped, 3D printed medical devices are sent electronically in the form of a CAD file from the manufacturer often to a service bureau to print off-site. Has the device left the manufacturer's control after the CAD file was sent? After the medical device is 3D printed? The law is unsettled on these issues.
The FDA has also addressed the postmarket management of cybersecurity issues in medical devices. In January 2016, the FDA released a draft guidance entitled Postmarket Management of Cybersecurity in Medical Devices, which sets forth the FDA's post-market recommendations. The FDA encourages manufacturers to monitor, identify, and address cybersecurity vulnerabilities as part of their postmarket management of medical devices and sets forth elements of an effective postmarket cybersecurity program. The program includes defining the risk acceptance criteria of a device; identifying cybersecurity signals and creating a process for intake and handling of vulnerability information; conducting cybersecurity risk analyses; and implementing device-based features to mitigate the risks on a device's functionality.
In May 2016, the FDA issued a draft guidance regarding 3D printed devices for the first time. The guidance entitled Technical Considerations for Additive Manufactured Devices addressed technical considerations associated with the design, manufacturing, and device testing of 3D printed devices. Although not addressing cybersecurity, the FDA acknowledged patient safety risks associated with the file format conversion process. Because additive manufacturing requires files to be compatible across the various software applications that are used, the file formats must be converted to ensure compatibility and this process creates a risk of errors that can negatively affect the shape and dimensions of the finished device. The FDA explained that "patient-matched devices that follow the patient anatomy precisely are especially vulnerable" to errors in the file conversion process because "anatomic curves are typically geometrically or mathematically complex and can create difficulties when calculating conversions." The FDA recommends that manufacturers "test all file conversion steps with simulated worse-case scenarios to ensure expected performance, especially for patient-matched devices" and maintain and archive final device files in standardized formats that are able to house additive manufacturing information.
It remains to be seen whether the FDA will issue a guidance regarding cybersecurity considerations specific to 3D printed devices. However, device manufacturers and hospitals should regularly conduct cybersecurity risk assessments in conjunction with their Information Technology, risk management, and legal departments under the protection of applicable legal privileges to minimize exposure to regulatory or legal action.
This article is presented for informational purposes only and is not intended to constitute legal advice.
