regulatory and quality system professionals | 919.313.3960
Cybersecurity’s Impact on Health Systems

Cybersecurity’s Impact on Health Systems

We are currently seeing significant technological advances in medical devices, hospital networks and patient care. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect a device’s performance, functionality and safety to the patient. In recent years, researchers have demonstrated the potential threat of medical device and healthcare system hacking. They have been able to tamper with pacemakers, insulin pumps and other devices, which, if hacked, could cause serious harm, including death, to a patient. Recently, the FDA identified cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and the corresponding Merlin@home Transmitter. These vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. While no patients were harmed, this serves as a warning that similar devices containing configurable embedded computer systems can be vulnerable to cybersecurity intrusions and exploits, as well. To address these technological risks, in December 2016, the FDA finalized the guidance, “Postmarket Management of Cybersecurity in Medical Devices.” In reference to the guidance, Suzanne B. Schwartz, M.D., M.B.A., FDA’s Associate Director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health stated that, “manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.” The new guidance...
Avoid Common Medical Device Software Development Life Cycle Pitfalls

Avoid Common Medical Device Software Development Life Cycle Pitfalls

Learn Potential Software Development Life Cycle Pitfalls to Pay Attention To IEC 62304 is the international standard that defines software development life cycle requirements for medical device software. IEC 62304 was developed from the perspective that product testing alone is insufficient to ensure patient safety. It provides a common framework for medical device manufacturers to develop software components. Conformance with this standard demonstrates that there is a software development process in place that fulfills the requirements of the Medical Device Directive. If your medical device has software that regulates its functionality in a way that contributes to Basic Safety or Essential Performance, then you will need to comply with IEC 62304. This standard requires all aspects of the Software Development Life Cycle (SDLC) to be managed to ensure patient safety, including: Development and code reviews Risk management Configuration management Incident and bug resolution Validation Maintenance The most common mistake medical device manufacturers make is failing to assess which elements of risk their software mitigates. These are the elements that must be addressed by IEC 62304. For example, what would happen if the creator of a hoist didn’t properly vet the software that signaled the hoist to lower the patient at a certain speed? If a patient were lowered too quickly – or not at all – there would be a risk management nightmare. Since software plays a role in the Basic Safety functions of the hoist, it must comply with 62304’s requirements. Common software functionality manufacturers fail to recognize as IEC 62304 compliance issues include: Alarms and Alerts – often an Essential Performance requirement because they are intended to detect abnormalities Speed & Position...
Is Your Medical Device a Secret Safety Risk?

Is Your Medical Device a Secret Safety Risk?

WHEN: Thursday February 26th WHERE: Your office TIME: 1.30pm – 3.00pm REGISTER HERE Compliance with IEC 62304 is required for all electromedical devices where basic safety is dependent on software or firmware. But many device companies remain unaware that the devices they manufacture must meet this standard. That may be because there’s confusion stemming from a key guidance, in which the requirement is called both voluntary – and mandatory. To help you unravel the complexities of IEC 62304, Rita King of MethodSense has partnered with FDAnews to present a 90-minute webinar on February 26, 2015 that will clarify who the rule affects, what it requires , and what you need to do to ensure FDA approval of your products. At the heart of the requirement is patient safety – whether or not software impacts on what is called the Essential Performance (EP) of your device – thus putting a patient at risk in the case of a software failure. This level of risk can be hard to discern at the manufacturing level. For example, what would happen if a hoist manufacturer didn’t properly vet the software that signaled it to lower the patient at a certain speed? Lowering a patient too quickly (or not all) can quickly turn into a risk management nightmare, with IEC 62304 regulatory – and legal – implications. Register NOW and you will find out how to secure FDA approval of your device by clearly demonstrating that your product safety testing is adequate. Specifically, you will learn: How to identify the two biggest pitfalls: documentation and software pedigree. How to understand and address 3 significant non-compliance factors: software...
Understand how the FDA uses the IEC 62304

Understand how the FDA uses the IEC 62304

IEC 62304 Safety Requirements FDA medical device recalls are on the rise. An increasingly active FDA, coupled with the rise in software components for medical devices is adding up to new challenges for manufacturers. Given this reality, it’s important to understand how the FDA uses the IEC 62304, an international standard developed that, among other things, says product testing by itself is not enough to prove software is safe for patients using the medical device. The standard provides a common framework for medical device manufacturers to develop software. Conformance with this standard provides evidence that there is a software development process in place that fulfills the requirements of the Medical Device Directive. Because it has been harmonized with the Medical Device Directive in the EU and recognized as a Consensus Standard by the FDA in the US, IEC 62304 can be used as a benchmark to comply with regulatory requirements in both markets. To date, this standard has been recognized in most countries that use compliance standards to fulfill regulatory requirements. Complying with 62304 enhances the reliability of your device’s software by requiring attention to detail in design, testing and verification, ultimately improving the overall safety of the medical device. Is IEC60601-1 Required, Too? Here’s the $64,000, or usually much higher, question: Does your device have to meet IEC 60601-1 requirements? The EU has been using IEC 62304 since 2008, but it has gained even more traction with its incorporation into the third edition of IEC 60601-1’s Amendment 1. The inclusion of Amendment 1 shifted the standard from a recommendation to a requirement if your device utilizes software. For those...
Medical Device Data Systems and Data Integrity

Medical Device Data Systems and Data Integrity

Time to Take a Closer Look at FDA MDDS Moves The FDA recently released a new draft guidance document for Medical Device Data Systems (MDDS). The FDA defines MDDS as “hardware or software products that transfer, store, convert formats and display medical device data. An MDDS does not modify the data, and it does not control the functions or parameters of any connected medical device. MDDS are not intended to be used in connection with active patient monitoring.” The core issue it raises, I believe, is one of data integrity. More on that later. Explaining the Medical Device Data Systems Draft Guidance The new draft guidance cites the growing trend “that many medical devices be interoperable with other types of medical devices and with various types of health information technology.” And further “since down-classifying MDDS, the FDA has gained additional experience with these types of technologies, and has determined that these devices pose a low risk to the public,” the FDA wrote. “Therefore, the FDA does not intend to enforce compliance with the regulatory controls that apply to MDDS devices, medical image storage devices and medical image communications devices.” The FDA’s interest in this kind of risk based approach has pleased a great many. On the one hand, the draft guidance demonstrates a proactive approach by the FDA for addressing the explosion of mobile health applications in the light of pending legislation on the same topic in the US Congress. It frees application developers to innovate without the additional burden of regulatory compliance, and it dovetails with the rapidly expanding electronic health ecosystem servicing the informational appetites of healthcare...