2019年 9月 6日
For healthcare product and medical device technology developers, ensuring effective support for cybersecurity compliance is becoming a key step in securing regulatory approval and market access.
Cyber-attacks have shifted in status from being news headlines to becoming a mundane part of day-to-day operations for many businesses, including hospitals. However, for many product development teams designing products with security in mind is a new and daunting challenge, and when coupled with the challenges of how the approaches may be viewed by regulators, the concerns grow even more.
In 1997, the US FDA formally began to examine the role of software in the safety and effectiveness of medical devices. In 2008, significant investments began to take place, not just in the US, but around the world, to create new technologies that would reduce healthcare costs and make healthcare more readily available to the growing population, where the proportion of elderly people with chronic health conditions was outpacing the capacity for healthcare delivery. These technologies were mostly based on software.
In 2013, FDA, the US Federal Communications Commission and the Office of the National Coordinator for Health Information Technology (ONC) came together with the private sector to look into the full scope of risks associated with new technologies including mobile medical apps, clinical decision support software, telemedicine devices, and a host of others. This assessment was conducted under the FDA Safety and Innovation Act, and ultimately, when followed by the 21st Century Cures Act, drew some fairly clear lines to distinguish technologies that would receive significant regulatory scrutiny from those that would not. During this same period of time, we saw a sudden uptick in the healthcare sector in exploitation of vulnerabilities and weaknesses in software, a phenomenon we now know well as “cyberattacks.”
Even though the attempt to “deregulate” was aimed at easing the market deployment of innovative new healthcare technologies, it left many manufacturers wondering how they would deal with the lack of a regulatory safety net to help them establish market confidence in the security of the innovative new products that were being launched.
This became the role of Voluntary National Consensus Standards, such as ANSI/CAN/UL 2900-1 and ANSI/CAN/UL 2900-2-1 (the Standard for Safety - Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems), which were also formally recognized by FDA as well as several other regulators around the world for the role they could play in security assurance.
The requirements of these standards address the following key issues to ensure an acceptable level of cybersecurity hygiene:
These standards were developed by the Standards Technical Panel, a multi-stakeholder National Consensus Body assembled under the ANSI Canvass process to represent the various interests in the cybersecurity from across the sector, including, hospitals, academia, manufacturers, component vendors, clinicians, patients, and many others.
For connected medical device and technology developers seeking third-party support for successful product development, market access and regulatory compliance, identifying partners with the experience and capability to work with them as well as their component vendors and healthcare system integrators is crucial. Viable third-party consultants and advisors to medical product developers should be able to provide support during all phases of a product lifecycle:
Ken Modeste is Director and General Manager, Digital Health at UL Life & Health Sciences.