As the number of network connected medical devices increases, opportunities for improved patient care also increase. As a consequence, the vulnerability to cyber-attacks becomes a greater threat. Medical device cybersecurity threats can be dangerous for providers, networks, and device manufacturers. They can put patient safety at risk and/or create a breach of data. The FDA encourages manufacturers to consider potential cybersecurity risks and vulnerabilities “throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.”
R&Q recently presented the webinar, Cybersecurity: Regulatory and quality ramifications. During the session we answered several of your questions, a sample of which are below. To see all of the questions and answers from the session, along with the slides and recording, check out the on-demand webinar.
Q: Is FDA enforcing cybersecurity requirements for all devices right now?
A: The FDA is enforcing cybersecurity. They've issued several guidance documents pertaining to cybersecurity that point to guidances, vulnerabilities they know that are out there, and 21 CFR 806 for corrections and removals.
The FDA does not necessarily want reporting on every single security flaw - that’s not their goal. They are honing in on adverse events or death and when it comes down to it, enforcing the safety of medical devices.
They also are looking for remediation to be done in a certain period of time. The FDA wants to encourage manufacturers to participate in information-sharing organizations that share vulnerabilities and threats. Information Sharing and Analysis Organizations (ISAOs) are excellent resources.
Q: When do I need to validate software for cybersecurity?
A: Validate, validate, validate. Companies often need to get information and patches out quickly. The medical device manufacturer is responsible for determining when validations need to be done. It is part of the software design changes process. Note that the FDA does not automatically require review or approval of medical device software changes made solely to strengthen cybersecurity.
However, the EU has stated in the Medical Device Regulation (MDR) that they do not consider patches minor changes, so tread carefully. Health delivery organizations want to implement patches quickly, particularly changes to their operating system, but this often causes pain. Medical device manufacturers have to have an opportunity to see what different patches do. Some that are selected will be used, yet others selected will not be used because it causes problems with the performance of the product. It’s vital that health delivery organizations (HDOs) do not react too quickly when putting all patches in place that they get from Microsoft. They may need to give time to the device manufacturer to perform testing to ensure those patches will not cause problems.
In conclusion, speed is important when it comes to software validation, but it's also important that your HDO's get information about the timeliness of when patches should or should not be implemented.