2020s Predictions: Medical Device Security and Accountability

2020s Predictions: Medical Device Security and Accountability

January 20, 2020 | Posted by JAMA

Velentium was pleased to contribute to this blog series from JAMA Software, which solicited input from thought leaders across industries to forecast what's next for medical device development and related engineering fields in the coming decade. The post below originally appeared at

As we enter a new decade of technological advancements, Jama Software asked select thought leaders from various industries for the trends and events they foresee unfolding over the next 10 years.

In the third installment of our 2020s Predictions series, we’re featuring predictions from Chris Gates, Principal Systems Security Architect at Velentium, a professional engineering firm specializing in the design and manufacturing of therapeutic and diagnostic active medical devices.

Jama Software: What are the biggest trends you’re seeing in medical devices right now and how are they impacting product development?

Chris Gates: Regulatory bodies and Health Delivery Organizations (HDOs) are now mandating the creation and lifelong support of secure medical devices. This “Secure Lifecycle” starts with the first step in the development lifecycle and extended to the last day the medical device is marketed. This fundamental shift results in a tremendous amount of new artifacts to be managed and traced throughout the normal document tree, including security plans, requirements, test reports, post-market surveillance reports, approved supplier lists (ASL), etc., not to mention all the activities needed to create those artifacts in the first place!

JS: What are some continuing or new trends in medical device development you expect to see over the next decade?

CG: HDOs contractually mandating Medical Device Manufacturers’ (MDMs) level and nature of ongoing support for the life of the medical device in their organization, including in-field patching of software/firmware; Software Bill of Materials (SBOM); and assuming liability for all damages caused by the use or misuse of the device (such as being hacked and weaponized to attack other systems in the HDO). These are not activities or processes that have been previously supported or funded by MDMs.

JS: What sorts of process adjustments do you think development teams will need to make to accommodate these changes? Do you think they’ll need to make technology investments, process adjustments, or both?

CG: Yes, yes, and yes. This will result in large changes to organizations and how they work, plan, and budget for medical device development. For example, they’ll need “all of the above” to accommodate the ongoing post-market surveillance impacts on the utilization of third-party software packages in future devices. This is all part of the changes to the ASL. No longer can MDMs view medical device development as ‘a separate event’ with a beginning and an end. Securing medical devices is an ongoing collaborative effort with HDOs.

JS: Any regulatory changes you anticipate to medical devices over the next decade? How do you see this impacting development teams?

CG: More enforcement “teeth” being given to the FDA by Congress. Especially in the area of MDMs’ “responsible vulnerability disclosure,” which is currently optional for MDMs. However, the FDA, Congress, and HDOs are all in agreement that this activity needs to be mandatory and thus enforced. Hopefully we will see some worldwide harmonization of security standards and generated artifacts, as currently these regulatory bodies are very fractured in their approach to secure development and the generated artifacts.

JS: What do you think will remain the same in medical device development throughout the 2020s?

CG: Focus on “safety and efficacy” will remain steady, as well as a continued drive to shrink medical devices to the smallest physical package possible to enable more home healthcare scenarios. Similarly, the increased use of “telemedicine” and related connectivity solutions enabled by these home healthcare devices and smartphones.

JS: Anything else you’d like to add?

CG: Even though the transition to secure medical device development and support may be financially uncomfortable, medical device security is the responsibility of all MDMs. Remember, the patient you are protecting might be yourself or a loved one!




Chris Gates is Velentium’s Principal Security Architect, overseeing the company’s Cybersecurity division. He graduated from California State University Northridge with a B.S. in Computer Science. Along with his colleague Axel Wirth, Chris is hard at work on a book about medical device cybersecurity, a how-to guide for engineers and medical device manufacturers, which is scheduled for release next year.


Get Started On Your Next Project