Tuesday, October 3, 2023
Tuesday, October 3, 2023

Contact: 561.316.3330

Cybersecurity, Medical Devices, and Recall Risk By Chris Harvey, Senior VP of Brand Protection at Sedgwick

Technology has made the world more interconnected – from smartphones and cars to refrigerators and medical devices.

That connectivity can be a huge benefit if it means getting information to a doctor more efficiently, being able to monitor vital signs, or even having two different medical devices talk to each other to help manage care. But as with most technology applications, those benefits also make devices more vulnerable to cyber threats.

An April 2022 draft guidance from the Food and Drug Administration (FDA) on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions raised concerns about the threat.

“With the increasing integration of wireless, Internet- and network-connected capabilities, portable media (e.g., USB or CD), and the frequent electronic exchange of medical device related health information, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important,” the FDA report noted. “In addition, cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact.”

The agency has also called attention to the increasing use of software in healthcare, whether as a medical device itself (software as a medical device (SaMD)) or as a component of a device (software in a medical device (SiMD)). Both of these applications were addressed in a Guidance for the Content of Premarket Submissions for Device Software Solutions published in November 2021 to guide manufacturers during software design, development, verification, and validation. The November publication updated and expanded on documents issued in 2014 and 2016, demonstrating that the agency is trying to keep abreast of changes and new threats.

The FDA specifically stated that the guidance applied to devices that “contain software (including firmware) or programmable logic” as well as SaMD and did not just apply to devices that were “network-enabled or contain other connected capabilities.” The document describes recommendations regarding the cybersecurity information to be submitted for devices under a range of premarket submissions.

The Pandemic Effect

The COVID-19 pandemic pushed the integration of software and medical devices even further as medical professionals and device manufacturers looked for ways to remotely program and monitor a wide variety of medical devices. While the industry had been moving in this direction already, the pandemic rapidly sped up advances because there was a critical need to keep  frontline healthcare workers safe while still caring for COVID-19 patients, particularly early in the health emergency when personal protective equipment was in short supply and so much was still unknown about the virus and its transmission and treatment.

In March 2020, the FDA published its Enforcement Policy for Non-Invasive Remote Monitoring Devices Used to Support Patient Monitoring During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency which was intended to expand the availability and capability of non-invasive remote monitoring devices so that patients could be monitored while reducing contact between them and healthcare providers.

The policy clearly stated that this was only to be in effect during the COVID-19 public health emergency (PHE), but it is hard to imagine clawing back all the advances that have been made in the past two years whenever the PHE is declared to be over.

Software Issues Drive Device Recalls

With the widespread use of software in medical devices and patient care, it’s not surprising that software issues have been the leading case of medical device recalls for 21 of the past 26 quarters. Software problems were responsible for a total of 1,389 medical device recalls since January 2016, 21 percent of all recall events. Though not every recall is a cybersecurity risk, there have been some, including one in 2017 involving vulnerabilities in pacemakers and another in 2019 over concerns with a wireless insulin pump that had the potential of being hacked, which could have life-threatening health impact.

The FDA has tried to clarify its role is in medical device cybersecurity versus what is the manufacturer’s responsibility. The agency put quality system regulations (QSRs) in place that require medical device manufacturers to address cybersecurity risks. The FDA has also issued several premarket and postmarket guidances to help companies meet these QSRs.

The agency has clearly stated that manufacturers can always update a medical device for cybersecurity. Typically, the FDA does not need to review changes made to medical devices if the only purpose and impact of the changes are to strengthen cybersecurity.

Because the FDA does not conduct premarket testing of medical devices, manufacturers are responsible for validating all software design changes, including computer software changes to address cybersecurity vulnerabilities. Manufacturers also bear responsibility for the safety, effectiveness, and security of off-the-shelf (OTS) software they may use in their devices.

The FDA’s 2018 Medical Device Safety Action Plan offered further recommendations, focusing on five key areas: establishing a robust medical device patient safety net in the United States; exploring regulatory options to streamline and modernize timely implementation of postmarket mitigations; spurring innovation towards safer medical devices; advancing the cybersecurity of medical devices; and integrating the Center for Devices and Radiological Health’s (CDRH’s) premarket and postmarket offices and activities to advance the use of a total product life cycle approach to device safety.

The plan highlights some of the steps the FDA has taken to “promote a multistakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience that applies throughout the life cycle of relevant devices.” These include collaborating with the Department of Homeland Security (DHS) on potential cybersecurity vulnerabilities.

Total Product Life Cycle Responsibilities

Another factor in cybersecurity risk assessment is the increased postmarket surveillance as part of the total product life cycle (TPLC) that U.S. and European regulators are starting to consider. The FDA highlights this in its April 2022 document, stating that “the rapidly evolving landscape, an increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product life cycle (TPLC) warrants an updated, iterative approach to device cybersecurity.”

The agency goes on to say that implementing and adopting a Secure Product Development Framework (SPDF) is one way to address TPLC considerations. It defines a SPDF as “a set of processes that reduce the number and severity of vulnerabilities in products throughout the device life cycle.”

Those processes may include updating the security risk management report as information about new threats, vulnerabilities, assets or adverse impacts is discovered during development and after the device is released. The FDA also recommends using threat-modeling to quickly identify vulnerability impacts once a device is released and to support timely Corrective and Preventive Action (CAPA) activities.

As a step toward better cybersecurity over the service life of a device, it is recommended that companies’ risk management documentation considers differences in how to manage “fielded devices,” both marketed devices and devices no longer marketed but still in use. There will likely be different risk profiles across devices if an update is not applied automatically to all devices in the field at the same time. Manufacturers need to have a process in place to account for these variations.

The FDA cybersecurity guidance also provides recommendations for security assessments, security architecture, cybersecurity testing, and transparency and vulnerability management plans.

Looking Ahead

The Federal Food, Drug & Cosmetic Act (FD&C Act) does not provide the FDA with express federal statutory requirements for medical device manufacturers regarding cybersecurity. But both the U.S. Senate and the House of Representatives have introduced bipartisan bills that would amend the law. The proposed changes would mandate certain cybersecurity requirements for any manufacturer of a “cyber device,” defined as a device that includes software or is intended to connect to the Internet.

Even without specific regulations, medical device manufactures must remain vigilant about identifying risks and hazards associated with their products. They should compare the FDA guidances to their internal plans to ensure they align.

While the guidances are not legally binding, they do show how the agency is looking at best practices. Being in compliance can build good will between the agency and the company, while also reassuring partners, suppliers, and consumers that the manufacturer is taking proactive steps to protect patient health and personal data.

Editor’s Note: Chris Harvey is senior vice president of brand protection at Sedgwick. With 15 years’ experience, he is recognized as an expert in the recall industry and routinely speaks on best practices at trade shows, conventions, and conferences. Throughout his career, Chris has managed more than 1,200 recall and in-market remediations, including hundreds for the largest U.S. and global brands. He also serves on the board of directors of the International Consumer Product Health and Safety Organization (ICPHSO).

Medical Device News Magazinehttps://infomeddnews.com
Our publication is dedicated to bringing our readers the latest medical device news. We are proud to boast that our subscribers include medical specialists, device industry executives, investors, and other allied health professionals, as well as patients who are interested in researching various medical devices. We hope you find value in our easy-to-read publication and its overall purpose and objectives! Medical Device News Magazine is a division of PTM Healthcare Marketing, Inc. Pauline T. Mayer is the managing editor.

Experts Views and Opinions

A Platform Approach: Expanding a Molecular Diagnostic Device Beyond Human Applications | By Shaun Holt, CEO, Alveo Technologies

Holt writes, "Avian flu is a global crisis, and not just for the poultry industry. There are serious potential implications for human health as well. But, let’s start with agriculture. Some strains of avian flu can be highly pathogenic. Once a single bird shows symptoms the clock starts ticking — it’s not unusual for an entire flock of tens of thousands of birds to die within two to three days."

The Hollywood Writers’ Strike and Ethical AI | By Ed Watal, Founder & Principal — Intellibus

Watal writes, "Less than 12 months ago, with the debut of AI-powered ChatGPT, the true power of AI hit the mainstream. Since then, it has established an unshakeable belief in everyone’s minds that artificial intelligence is here to stay and will forever alter a number of industries." What do you think? Read on.

Viraj Gandhi On Automation and Technology – to Drive Progress in Pharmaceutical Manufacturing

This article takes a closer look at the key benefits of automation and technology in pharmaceutical manufacturing and how Medivant Healthcare harnesses these solutions to drive progress across our production facilities. Read what Viraj Gandhi has to say.

Limb Loss and Preservation Registry (LLPR) Transforms Care Through Data and Insights | By Shawn Murphy, Vice President, Thought Leadership & Innovation Foundation...

Shawn Murphy writes, "The Limb Loss and Preservation Registry (LLPR) represents a pivotal development in patient care. It stands as the first collaborative database that unites hospital and health systems, provider organizations such as Accountable Care Organizations (ACOs), Integrated Delivery Networks (IDNs) and orthotic/prosthetic (O&P) practices, focusing on both upper and lower extremity acquired and congenital limb differences, as well as limb preservation populations. This collective effort has the potential to drive substantial advancements in patient outcomes, treatment effectiveness and care quality." Read to learn more.

It Takes an Ecosystem – Bringing Stakeholders Together is a Critical 1st Step to Solving Problems In Healthcare | By Andrew Cleeland, CEO, Fogarty...

Andrew Cleeland writes, "Introducing a new medical therapy or technology is a complex, expensive, and time-consuming journey, one that is fraught with significant risk. While innovation often starts with a clear, well-defined unmet clinical need, it must be paired with an equally compelling value proposition. My mentor, Dr. Thomas Fogarty, once said, “An idea, by itself, has no importance whatsoever; it is the implementation of that idea and its acceptance by others that brings benefit to our patients.” Read on.

By using this website you agree to accept Medical Device News Magazine Privacy Policy