2019年 8月 6日
Advances in medicine in terms of how we diagnose, treat, or deploy therapy are rapidly changing each and every day. Even going to a doctor’s office for a routine urgent care visit is evolving to allow patients to access care through telemedicine from the comfort of their own homes. Methods for how patients are treated at a doctor’s office, emergency room, surgery center or other healthcare facility are continuously being innovated.
For instance: imaging equipment that allows a radiological technician to share images with a radiologist in real time to a smart device or personal computer; the ability to pull precise dosage information for an infusion pump directly from the Cloud; or the introduction of robotics into surgical environments. These are all examples of how technology has allowed clinicians to treat patients more efficiently and effectively with the hopes of achieving even better outcomes.
This all sounds fantastic, right? What could possibly be the downside to all of this innovation? Many readers probably already see where this question is leading. The answer is, all of those great innovations have led to increased risk of cyber attack on medical device and health delivery organization (HDO) networks, while also ultimately potentially introducing new safety risks to patients. Cybersecurity risk is a challenge that needs to be addressed by medical device manufacturers, HDOs and regulatory stakeholders alike, and it is.
For the purpose of this post, we’ll examine the role that regulators, specifically the US FDA, are taking in terms of cybersecurity, and what effects that has on the product development submission processes for device manufacturers to bring connected or software-enabled products to market. Beginning in 2014 with the initial Premarket Guidance for Cybersecurity Management and then with the latest draft Premarket Guidance for Cybersecurity Management released in October 2018, FDA has outlined how they will be evaluating software-enabled or connected medical devices.
Essentially, the evaluation criteria outlined in the FDA guidance documents entail four main concepts:
So what do each of these concepts mean practically for manufacturers, and what are some considerations that they may want to follow? If you simply look at it, the first two elements are very process-driven criteria, while the latter two address testable criteria to evaluate whether a manufacturer’s risk controls are effectively implemented throughout the design process.
Having supported many manufacturers and developers evaluate and mitigate risk, we have encountered organizations of various levels of cybersecurity maturity. We are often asked about resources that organizations can leverage to better address those four pillars highlighted in the Premarket Guidance.
All of the aforementioned standards are valuable resources that can be leveraged by organizations at any stage of product-level cybersecurity maturity.
Essentially, FDA and other regulators are now looking to see that manufacturers have considered cybersecurity risks throughout the product development lifecycle and incorporated strategies to mitigate those risks. Contemplating and addressing cybersecurity risks at the earliest stages of product development and throughout the product lifecycle yields far more efficiencies and cost-effectiveness than doing so later in your development process. From our experience, taking that approach will ensure that manufacturers are more prepared, and allow them to take products to market in a more expeditious manner.
Christopher Beeman is Business Development Manager at UL Healthcare & Life Sciences’ Digital Health division.