MedTech devices and connectivity – Mission impossible?

Today, a growing number of MedTech devices are connected to hospital networks or directly to the internet also for use at home. The devices are made to securely and reliably track, for example, blood pressure or blood sugar at home. The devices can be categorized as the Internet of Medical Things (IoMT). MedTech market grows, and also new innovative startups step in.

"Earlier, when devices’ functionalities did not depend on the software, and there was no connectivity, it was possible to create devices with a smaller team. Nowadays we need large groups of experts for every stage of product development", says Antti Tolvanen, Sales Director for Software & Embedded at Etteplan.

Connected MedTech devices are improving patient care, but at the same time, connectivity is making devices more vulnerable to cybersecurity incidents that can put patients and consumers at risk. MedTech companies must manage product cybersecurity risks.

While the regulatory requirements are increasing, functionalities that rely on AI and connectivity also make medical technology devices more complex.

The growing need for expertise can become a problem for companies that want to develop everything in-house. Nowadays, an increasing number of MedTech/IoMT devices are developed by utilizing a partnership model. This allows MedTech companies to complement their in-house expertise with any specific competencies required to make it to the market successfully and solve future challenges related to EOL and evolving market requirements.

The more complex a connected device is, the more important it is to take care of its cybersecurity. The requirements for cybersecurity will be even more complex when AI is involved. Organizations responsible for assessing the devices, Notified Bodies will go through the technical file, including documents related to secure product development lifecycle, before CE-marking.

It is also wise to keep in mind that the recently adopted Radio Equipment Directive delegated act, and the soon to be adopted General Product Safety Regulation proposal will regulate the cyber security of also health and wellness devices. Technical product security requirements, such as software updates, cannot be implemented without supporting security infrastructure.

"Legal manufacturers should not attempt to build security infrastructure for devices by themselves as it is expensive and always requires extensive expertise, unless the security infrastructure is also the company's core competence", says Etteplan's Antti Tolvanen.