Medical devices increasingly use wireless connectivity and advanced digital capabilities, especially for conditions requiring continuous patient monitoring and automated intervention. These capabilities enable more personalized treatment options, with the goal of improved health outcomes.
One example is the growing demand for connected diabetes devices (CDDs) such as blood glucose monitors, continuous glucose monitors, insulin pumps, smart insulin injection pens, and automated insulin dosing (AID) systems.
However, the growing use of such devices comes with increased cybersecurity risks. These risks have the potential to impact patient safety, privacy, and outcomes, and must be appropriately addressed.
To help stakeholders address potential CDD cyber-vulnerabilities, IEEE Standards Association (IEEE SA) has published the IEEE 2621™ Series of standards. The IEEE 2621 Series has been recognized by the United States Food and Drug Administration (FDA) and is designed to align with national cybersecurity strategies released by the United States Government.
The IEEE 2621 Series is a result of the collaborative efforts of stakeholders including manufacturers, clinicians, FDA staff, test laboratories, cybersecurity solutions providers, and industry associations worldwide.
The standard provides guidance on how to identify and counter relevant threats, describes the necessary CDD functional requirements for a wireless security evaluation program, and defines and incorporates best practices into the program’s framework.
While the IEEE 2621 Series is a major step forward, an ongoing critical need is to certify that a given CDD does in fact conform to these standards. To help device manufacturers accomplish that quickly, easily, and cost-effectively, IEEE SA has established the IEEE Medical Device Cybersecurity Certification Program.
Product Certification Helps Device Manufacturers
Device manufacturers who participate in the program benefit because it differentiates their products with a certified offering, garners more trust from patients and clinical professionals, and mitigates liabilities.
The certification program includes:
- Assessment of a CCD by an IEEE-approved laboratory
- Testing carried out according to the IEEE 2621 Test Plan and Checklists to remove ambiguity from the process
- Standardized reporting of test results
Keeping ahead of cybersecurity regulations is critical not just for compliance but for market success. The checklists are built on IEC 80001-5-1/IEC and AAMI TIR57, two globally recognized standards that address the Software Security Lifecycle and Risk Management Assessment. They fully align with Section 524B of the U.S. Federal Food, Drug, and Cosmetic Act, to help ensure devices meet the latest federal cybersecurity requirements.
By participating in this program and meeting its requirements, devices can earn the IEEE Certification Mark. This is a trusted symbol that signals cybersecurity readiness to regulators, partners, and customers. Since the program is designed to meet FDA submission criteria, this certification can accelerate your FDA review process. Certified devices will then be listed in the IEEE Medical Device Registry, a go-to resource for customers looking for secure, reliable technologies.
Expanding the IEEE 2621 Series to Other Connected Medical Devices
The existing IEEE 2621 standards and test plan can be adapted and extended to provide cybersecurity benefits to other connected medical devices. Specialized subcommittees within the IEEE 2621 Certification Advisory Committee (CAC) will soon commence the work to amend the certification to include connected medical devices for all therapeutic areas.
Related Work
IEEE SA also has other medical device-related workstreams that incorporate cybersecurity measures to protect patient privacy, ensure the integrity of medical data, and facilitate the interoperability of connected devices.
The IEEE 11073 Standards Committee collaborates with other global standards organizations to address the need for an openly defined, independent standard for controlling information exchange among connected personal health devices (PHDs) and the systems used to manage and control them (e.g., cell phones, personal computers, health gateways, etc.).
An example of the committee’s work is IEEE/ISO 11073-40102-2022 IEEE/ISO International Standard – Health informatics Device interoperability Part 40102: Foundational Cybersecurity Capabilities for mitigation. This standard defines application-layer cybersecurity mitigation techniques for PHD devices.
Another relevant IEEE SA activity is the Zero Trust Cybersecurity for Health Technology Tools, Services, and Devices Industry Connections Program. It is a global community of technology stakeholders developing recommendations for a suite of new zero-trust network access (ZTNA) standards that integrate commercial and open-source products to showcase robust security features of Zero Trust Architecture (ZTA) when applied to enterprise IT use cases.
The recently published IEEE/UL 2933™-2024 Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS – Trust, Identity, Privacy, Protection, Safety, Security is a TIPPSS framework for Clinical (IoTs) data and device interoperability with healthcare systems including electronic health records (EHR), electronic medical records (EMR), other Clinical IoT devices, in-hospital devices, and future devices and connected healthcare systems.
Interested in Participating?
Although highly valuable work has already been accomplished, much more is needed, given the growing use of connected medical devices and the evolving nature of cyber threats. We welcome your participation! Learn more and take the next step today
