In December 2021, RQM+ acquired AcKnowledge Regulatory Strategies (AcKnowledge RS), a San Diego-based firm specializing in regulatory affairs consulting for the medical device and IVD industry. The integration of this impressive team enhances the extensive RQM+ network of current and former FDA reviewers, scientists, engineers and regulatory and quality experts, and adds additional expertise with FDA submissions. The author of this post is a member of this team, which has done significant work with novel and/or high-risk devices focusing on pre-submissions, 510(k)s, IDEs, PMAs, De Novos, Breakthrough Designation Requests and Safer Technology Program Requests.
As promised in our previous post, today we are back to discuss cybersecurity and a few of the devices for which cybersecurity has been an integral part of the device design.
To recap, what is cybersecurity as it relates to medical devices? In the 2018 draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, FDA defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.” Phew! What a mouthful! In simpler words, make sure no one but the intended users have access to the device. With the ever-increasing use of wireless, Internet- and network-connected devices, portable media (think USB stick or CD), and the frequent electronic exchange of medical device-related health information, it is critical medical device manufacturers are preempting and protecting patients from cyber attacks.
From ventilators to fetal monitors, CT scanners to electrocardiographs, glucose meters to insulin pumps, cybersecurity is a real threat to medical devices used in home and hospital settings. In the past, cybersecurity incidents have rendered medical devices inoperable, and they have been known to significantly impact hospital networks, which are now relied upon almost exclusively to manage patient health records. With cyber attacks able to delay diagnoses and/or treatment, and possibly lead to patient harm, addressing any and all potential cybersecurity issues is critically important both before and after a device is brought to market.
As a way of highlighting the diversity of medical devices that have been manufactured with cybersecurity in mind, we wanted to describe a number of recently cleared devices.
First up is the AIRO® Computed Tomography (CT) X-ray System (K180393), a mobile CT scanner that can be used with both pediatric and adult patients. The device uses a computer and rotating X-ray machine to create cross-sectional images of the body, and the mobile imaging platform can be used to obtain a high-resolution CT scan of a patient while they are in the operating room undergoing surgery. Very cool! For a patient having a spinal tumor removed, by doing a CT scan in the operating room, the surgeon can ensure maximal tumor resection. For a patient having spinal screws placed, the CT scan during surgery can help ensure accurate placement of the screws and allow for any necessary revisions to be performed before the patient leaves the operating room. The AIRO® CT X-ray System is a sophisticated piece of technology, and as part of their 510(k), Mobius Imaging LLC worked to ensure their device was cybersecure.
Another, entirely different medical device that took cybersecurity into account during development is Health Beacons’ RFID Localization System (RFLS) (K181692). The system is used to mark breast lesions with a miniature RFID tag, and then with the help of the RFLS reader and surgical probe, locate the tag and the lesion during surgery to remove breast tissue. While the device is not connected to a network, the use of RFID technology and a hand-held device to pinpoint the location of the implanted RFID tag meant that Health Beacons took cybersecurity concerns into consideration when designing the device.
To round out our discussion of devices that take cybersecurity into consideration both during development and after marketing approval, let’s look at the recently updated Tempus Pro Patient Monitor (K201746) from Remote Diagnostic Technologies Limited. The Tempus Pro is a portable device used to monitor physiological signals such as heart rate, respiration rate, blood pressure, and blood oxygen saturation. The monitor has the ability to record and interpret ECG data, allowing for cardiac dysfunction to be monitored and assessed in real-time. For example, detection of an arrhythmia or heart rhythm abnormality triggers an alarm, alerting clinicians and qualified medical personnel of a potential problem. What brings the Tempus Pro into our discussion of cybersecurity is the fact that “the monitor is intended to be used as a stand-alone monitor or as a telemedicine system, transmitting patient data to other medical professionals located elsewhere.” Any time potentially sensitive or critical patient information is going to be transferred, a device manufacturer must think about how to preempt and protect patients against cyber attacks.
With recent increases in the use of remote patient monitoring and telemedicine due to COVID, the need to consider and mitigate the risks associated with potential cyber threats becomes highly relevant and important. More and more medical devices are communicating wirelessly, are networked, and/or come with a way to visualize information or control the device via a smart device application. There are so many amazing and wonderful devices currently in development and on the market, and we are pleased FDA and manufacturers are working together to do their part and #BeCyberSmart.