Are you confident that your medical devices are FDA compliant?

Medical devices are used for diagnosis, prevention, monitoring, treatment, and control of diseases or for supporting or sustaining life. Medical devices can be any apparatus, machine, implant, appliance, reagent for in vitro use, material, software, implement, instrument or other similar or related article, intended by the manufacturer to be used, alone or in combination, for human beings.

With the advancement in technology for better care of patients through guidance via remote monitoring of these medical devices which relies on a wireless or wired connection. This involves use of software and which makes them vulnerable to incidents that could affect the safety and effectiveness of a device and the health and wellbeing of people who rely on them.

The FDA encourages medical device manufacturers to address cybersecurity risks to keep patients safe and better protect the public health.

Here are some of the key pre- and post-market FDA guidelines:

• Validation of all the software design chances is a must: The FDA does not conduct premarket testing for medical products. Testing validation of all software design changes, including computer software changes to address cybersecurity vulnerabilities.
• Role of Healthcare Delivery Organizations: The FDA recognizes that HDOs (Healthcare Delivery Organizations) are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks
• Risk assessment: Medical device manufacturers must comply with federal regulations. Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address risks, including cybersecurity risk.
• Unauthorized access to the network: A cybersecurity vulnerability exists whenever the OTS software provides the opportunity for unauthorized access to the network or the medical device. Cybersecurity vulnerabilities open the door to unwanted software changes that may have an effect on the safety and effectiveness of the medical device. FDA recommends to closely track this.
• Software Patch update: Vulnerabilities in cybersecurity may represent a risk to the safe and effective operation of networked medical devices using OTS software. Failure to properly address these vulnerabilities could result in an adverse effect on public health. A major concern with OTS software is the need for timely software patches to correct newly discovered vulnerabilities in the software. FDA recommends to closely track this.

For medical devices approved under PMAs (21 CFR Part 814), a PMA supplement is required for a software patch if the patch results in a change to the approved indications for use or is deemed by the manufacturer to have an adverse effect on the safety and effectiveness of the approved medical device. 21 CFR 814.39. Otherwise, you should report your decision to apply a software patch to your PMA device to FDA in your annual reports. See 21 CFR 814.39(b), 814.84.

• Be vigilant to cybersecurity risks: The need to be vigilant and responsive to cybersecurity vulnerabilities is part of obligation under 21 CFR 820.100 to systematically analyze sources of information and implement actions needed to correct and prevent problems. The preamble to the QS regulation explains that actions taken should “be appropriate to the magnitude of the problem and commensurate with the risks encountered” (61 Fed. Reg. 52633; Oct. 7, 1996). Information in this guidance reminds of some of the actions that ordinarily will be necessary to address this particular type of software concern. Under 21 CFR 820.30 design validation requires that devices conform to defined user needs and intended uses, including an obligation to perform software validation and risk analysis, where appropriate. Software changes to address cybersecurity vulnerabilities are design changes and must be validated before approval and issuance. 21 CFR 820.30
• Modification to existing medical device: A new 510(k) submission to FDA is necessary for a change or modification to an existing medical device for below mentioned scenarios. FDA recommends to follow them
• The medical device has a new or changed indication for use (e.g., the diseases or conditions the medical Device is intended to treat)
• The proposed change (e.g, modification in design, energy source, chemical composition, or material) could significantly affect the safety or effectiveness of the medical device.
• It is possible, but unlikely, that a software patch will need a new 510 submission. As with all changes made to devices, you should document the basis of your decisions in the design history file. See 21 CFR 820.3, 820.30.

Are you an end user of the medical device?? Educate yourself with the FDA guidance as an end user.

• Stay informed. The U.S. Food and Drug Administration (FDA) regulates all medical devices. If a medical device’s software has a weakness that might make it vulnerable to a cyberattack, the FDA may issue includes information about vulnerabilities and recommended actions for patients, providers, and manufacturers.
• Register the device. Even though it is an extra step, registering a medical device with the manufacturer may help them to reach user more quickly when there is an urgent need to send out important information about the device, including software updates and safety communications.
• Update your software. Technology evolves over time, so software for user’s medical device will need to be updated. Medical device manufacturers can update a medical device for cybersecurity when needed and often do so by providing software updates.
• Look for glitches and report issues. A device that is not working as expected could be a sign that something isn’t right and hence it should not be ignored. If user suspect that there is an issue with user’s device, health care provider should be notified, the device manufacturer, and report the issue to FDA’s MedWatch.
• Share information. Family or caregivers of the end user should be trained about your medical device. If a device isn’t working properly for any reason, someone who is already familiar with it may be able to help you recognize and report an issue. This is especially important if end users aren’t very tech-savvy. Also, make sure users family knows how to reach the health care provider who prescribed the device in case you cannot. 

Best Practices and elements to consider when developing a cybersecurity communication framework.

The Patient Engagement Advisory Committee (PEAC or the Committee) provides advice to the Commissioner or their designee on complex, scientific issues relating to medical devices, the regulation of medical devices, and their use by patients. 

Key highlights from the latest PEAC meeting on October 22, 2020 held by FDA include:

Interpretability: Early access to serious cybersecurity vulnerability information may provide assurance to patients and empower them to take early action to avoid any potentially harmful consequences to their health. Clearly explaining the risks near the top of the safety communication and stating the urgency of the risk is one way to help emphasize critical information to the audience. While keeping it simple will help enable all audiences to better understand the communication, it is also important to ensure that the information is available to diverse readers in their preferred language.

Discussing risks and benefits: The Committee recommended a “balanced discussion between risk and benefits, highlighting the benefits especially if it is a lifesaving device”

• Acknowledging and explaining the unknown: if there is a vulnerability detected for a device, but that device has no means by which to detect whether the vulnerability has been exploited, it is important to note that there are “no known exploits at this time,” rather than “no exploits,” as it would be impossible to state there were no exploits with certainty.
• Availability and findability of information: The Committee generally believes that knowledge does not necessarily confer responsibility and that the burden should not be put on the patient to find the information pertaining to risks or threats associated with their device(s). FDA should make sure that burden is on industry to communicate the risk and not pushed back on patient to find it.”

Structure of the communication material: Safety communications on cybersecurity risks are more easily found if they incorporate best practices in search engine optimization (SEO) techniques, such as:

• Including the name of the manufacturer and device name (or device category name) in the title of the communication, if the cybersecurity vulnerability is specific to a medical device or group of medical devices;
• Including other important keywords that patients may search for near the beginning of the title, such as the name of the cybersecurity vulnerability; and
• Incorporating important keywords in the content itself, including the list of specific medical devices, as well as the associated diseases or conditions.

Outreach and distribution vehicles: As with any important communication issues, having an outreach plan and developing appropriate communication channels help aid the comprehensive dissemination of information about safety communications, including cybersecurity vulnerabilities.

The aim of medical devices is to enhance health and help people live longer, healthier lives. However, any medical device running on software relies on a wireless or wired internet connection is at risk especially if the device is older and has not been made with cybersecurity in mind. In order to handle cybersecurity threats, device manufacturers, hospitals facilities and people, including patients and caregivers, must work together. If above discussed best practices and FDA regulations are followed closely, for sure cybersecurity can be achieved.

Sogeti Ireland has dedicated Life Science and cyber security teams who are here to assist you in ensuring that you are CSV/FDA compliant.

To learn more about Sogeti Ireland’s dedicated Life Sciences practice, contact xavier.de-bustos@sogeti.com