Every one of us has probably either been affected by or knows someone who has been affected by a cybersecurity vulnerability. Some attacks happen for the thrill, some to expose weaknesses between competitors, some for malicious intent, and some for money. We hear of these issues in our daily life - from computer viruses to financial incidents.
These types of threats have certainly surfaced in the medical device industry and we need to make sure we are positioned to address these early in the product development process and the post-market space. The ultimate goals are to make sure that a weakness in cybersecurity practices does not affect the functionality of a medical device in a harmful way, and to make sure sensitive patient data is protected as defined by region-specific regulations.
Most of us in the medical device industry are well-versed in safety risk. It is something that we can see and feel. Cybersecurity is a little more difficult to grasp as it considers data breaches. Some of these data breaches can affect the safety of the device. Most of the data breaches impact the effectiveness of the device and/or are general nuisances. Every device that is connected and sending information via a private or public network is at risk.
What exactly is cybersecurity?
The FDA guidance for premarket submissions defines it as the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.
How can we address this?
For starters, we need to make sure our teams are educated on the topic and the right organizational structure is in place. Each company also needs a designated cybersecurity officer or expert who can help guide teams through the process and can keep current on ongoing cybersecurity attacks across industries. Finally, we need to make sure the right policies and procedures are in place.
Where can we find help?
R&Q's cybersecurty webinar will outline the regulations, standards, and FDA guidance that shape cybersecurity, so we recommend signing up for free. There are many standards and guidance documents that can help form the foundation of a good cybersecurity program. For starters, one can reference the FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance for Industry and FDA Staff Document Issued October 2, 2014 and Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and FDA Staff Document issued December 28, 2016.
In parallel with developing a system to manage security, we need to also consider user privacy in our development efforts. Privacy violations can result in fines and are hurtful press for companies. These types of incidents are enforced by regulatory bodies such as the federal trade commission (FTC) in the USA or by the General Data Protection Regulation (GDPR) (fully applicable in May 2018) in the EU. Organizations also should set up privacy processes in collaboration with the security processes, as well as have a designated privacy officer or expert on site.
The privacy and cybersecurity landscape is dynamic. With the right people and processes in place, we can do our best to make sure that our users can use their medical devices safely and effectively; ideally without any data breaches or any privacy violations. However, when something happens, organizations also need to have processes in place to remediate product that is in the field as quickly as necessary.
Learn much more about this dynamic topic on July 25th during the R&Q's webinar.