APAC MedTech: cybersecurity standards in one place
April 26, 2021
A month ago, I was speaking with a client at a global medical devices company. I was asked, “Why is cybersecurity so hard in Asia?” We talked about how challenging this issue is for him and his customers, the hospitals. Also, about the encouraging progress he’s seeing as the connected health landscape grows far beyond medical equipment in hospitals.
However, he noted that being “connected” has some big implications for medical devices. Current reports suggest medical data is up to 10 times more valuable to hackers than credit card credentials. Outdated legacy medical systems (hardware and software) compound the challenges, as do the fact that there are often few personnel trained in IT. And many staff presume that devices behind a firewall are safe.
<<< Start >>>
All these challenges make connected health a great target for hackers. That’s why the threat from cybersecurity has emerged as the biggest challenge for MedTech companies and patients using their devices here in Asia Pacific (APAC).
<<< End >>>
Knowing the extent of the challenges makes my recent work on a cybersecurity standards database even more rewarding. But before we get to that, let’s look at MedTech’s position in the region.
The APAC MedTech landscape
The MedTech landscape in the APAC region is incredibly complex. It’s a patchwork of regional markets that vary in size and maturity. There are the developed countries like Japan and Australia, as well as emerging markets in Southeast Asia. It’s also a growing market, expected to be valued at US$157 billion by 2022.
A diverse array of medical technology products, both imported and locally manufactured, support the sector. Because of this, it depends on global and regional supply chains. There are also many regulatory bodies and a multitude of language requirements.
In the past, APAC has tended to import Class II/III medical devices such as heart stents, artificial knee implants and bone replacements from trusted brands like Boston Scientific, Medtronic and Johnson & Johnson Medical Devices Companies. These devices present the potential for risk of illness or injury if they’re not managed and monitored properly. They’re also the types of devices that are increasingly IoT-connected. Many collect personal patient data, making them attractive targets for cyberattacks.
Now, MedTech companies in the APAC region are investing in R&D and looking to extend their manufacturing to include more complex devices. They want to export out to the world market as well from their APAC centers. In both cases, they must comply with regulatory standards for cybersecurity to earn a right to play in these markets. They’ll also need to prove themselves worthy of patient and healthcare provider trust.
Furthermore, it’s not enough to consider just the requirements of the country they’re selling into. MedTech companies need to address cybersecurity from end to end. For example, if your company decides to launch a product in China, you must do more than meet the specific regulations and cybersecurity concerns in that country. You need to ensure the ongoing cybersecurity, safety and compliance of the product across its entire lifecycle. That’s no simple task. And it’s made more difficult when every country or region has its own unique standards.
<<< Start >>>
<<< End >>>
APACMed brings MedTech stakeholders together
Fortunately, the Asia Pacific Medical Technology Association (APACMed) is a unifying voice for regional MedTech industry players. I’ve personally been involved with the organization for many years and Accenture is an Associate Member.
APACMed represents manufacturers and suppliers of medical equipment and devices, industry associations and other key stakeholders, and seeks to:
- Improve access to high-quality healthcare.
- Support innovative new technologies that improve the quality of care and outcomes.
- Harmonize regulatory and security standards.
It’s this last one—harmonizing standards—that I think will be most important to MedTech companies in the region wanting to extend their reach. Whether into new markets or with new products and services.
<<< Start >>>
<<< End >>>
Medical device cybersecurity policies in Asia Pacific
Earlier in this post, I mentioned my recent work on a cybersecurity standards database. This is something I’ve been collaborating on with the APACMed Cybersecurity working group. What we’ve done is create a database of guidance documents and directives from major global regulatory bodies. It’s the first repository of its kind for MedTech companies in the region—and I think it’ll be an invaluable resource.
Key things we learned while working on the project include:
- Standards for medical devices are usually part of consolidated medical device security regulations. They’re generally developed by the healthcare or medical regulator of the respective countries.
- European Union nations and the Americas have more specific regulations. That’s because they’re subject to International Medical Device Regulators Forum (IMDRF) regulations and EU cybersecurity law.
- Medical device security governance should be streamlined and standardized in Asia. If the region complies with standards from organizations like IMDRF, it’ll mean the region’s cybersecurity maturity can be benchmarked globally.
I and my team at Accenture recommend that the database become a living entity. Because regulations continue to evolve at a fast pace, it needs to be updated frequently, with input from stakeholders across the region. As a group, our goal is to make sure these changes are captured until harmonization efforts mature.
What’s next for APAC MedTech companies?
In this new “connected” era, it’s important for MedTech companies to build cyber resilience. At the same time, they need to comply with all the relevant regional and national regulatory standards. I recommend companies participate in APACMed cybersecurity initiatives. There are lots of lessons to learn from established MedTech companies in other regions. But it’s also time for those of us in the APAC region to work together to define standards that make sense in our market.
If you’d like to learn more about our work with the APACMed, visit their website.
<<< Start >>>
<<< End >>>
