MedTech devices and connectivity – exciting opportunities, tightening regulations

Today, a growing number of MedTech devices are connected to hospital networks or directly to the internet for use at home. The devices are made to track securely and reliably, for example, blood pressure or blood sugar at home. The devices can be categorized as the Internet of Medical Things (IoMT). The MedTech market grows, and new innovative startups step in.

"Earlier, when devices’ functionalities did not depend on the software, and there was no connectivity, it was possible to create devices with a smaller team. Nowadays, we need large groups of experts for every stage of product development", says Antti Tolvanen, Sales Director for Software & Embedded at Etteplan.

Connected MedTech devices are improving patient care, but at the same time, connectivity is making devices more vulnerable to cybersecurity incidents that can put patients and consumers at risk. MedTech companies must manage product cybersecurity risks.

While the regulatory requirements are increasing, functionalities that rely on AI and connectivity make medical technology devices more complex.

The growing need for expertise can become a problem for companies that want to develop everything in-house. An increasing number of MedTech/IoMT devices are developed using a partnership model. This allows MedTech companies to complement their in-house expertise with any specific competencies required to successfully make it to the market and solve future challenges related to EOL and evolving market requirements.

The more complex a connected device is, the more critical it is to handle its cybersecurity. The requirements for cybersecurity will be even stricter when AI is involved. Organizations responsible for assessing the devices, such as Notified Bodies for EU will go through the technical file, including documents related to secure product development lifecycle before CE-marking. In the USA, FDA surprised the MedTech industry by making secure product development lifecycle process-related documentation of new medical device submissions mandatory practically overnight.

It is also wise to keep in mind that the recently adopted Radio Equipment Directive delegated act and the soon to be adopted General Product Safety Regulation and Cyber Resilience Act proposals will regulate the cyber security of health and wellness devices. Technical product security requirements that are becoming mandatory, such as software updates, can only be implemented with supporting security infrastructure.

"Medical devices have long life cycles, while commercial systems for device lifecycle management may have unpredictably short lifecycles. Considering the wide range of security requirements that need to be implemented into medical devices, it could also be feasible for medical device manufacturers to develop a proprietary solution for security infrastructure. The related ‘make or buy’ decision is crucial", says Etteplan's Antti Tolvanen.

Medical devices and their manufacturers are heavily regulated today. EU regulates practically everything related to digitalization to mitigate safety, privacy, and fundamental rights risks to people and entities. The regulatory burden on MedTech companies will increase via NIS2 and Data Act, among others.

On the 18th of October 2024, NIS2 turns medium-sized and large medical device manufacturers into “Essential or Important Entities” that must have an appropriate information security management system. The EU Data Act in turn, places new requirements on connected products and related digital services, and medical devices are not exempted. Users of products will gain ownership of the data the devices have generated, and thus need to be provided e.g. with free access to all the usage data.

“This new regulation will surely create additional challenges to medical device manufacturers and health care providers. It really will be worth to start studying Data Act requirements already today,” encourages Etteplan’s regulation expert Antti Tolvanen.