My recent work has involved providing regulatory assistance to software medical devices. One thing I have been learning about is how security and privacy is handled with these types of products. Often times I have experienced clients grouping regulatory affairs with privacy and security. Project teams have looked to the regulatory engineers for guidance on how to handle privacy and security of patient data used within the software. This was a new area of focus for me. In my research on privacy and security I looked a lot to internal experts on these to subjects, in addition the FDA has issued a draft guidance titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.
This draft guidance was very interesting and talks about how using a risk analysis approach to maintain confidentiality, integrity and availability of a secure software product. It also explains what type of documentation is recommended for these types of products for a premarket submission.
At a high level the draft guidance discusses the types of security controls that should be put into place. These control measures include:
- Limiting unauthorized access by certain means of password protection, card readers or some sort of authentication
- Protecting components of devices from security risks using routine security patches and restricting software and firmware updates
- Incorporating fail-safe modes into medical device design approaches to maintain functionality in the event of a security breach or compromise
I think this topic of cybersecurity is very up and coming in the medical device field because more and more mobile apps and software are being considered standalone medical devices.
--Jillian F. Walker
Image Credit: DeWitt Clinton at Flikr.com