regulatory and quality system professionals | 919.313.3960
Cybersecurity’s Impact on Health Systems

Cybersecurity’s Impact on Health Systems

We are currently seeing significant technological advances in medical devices, hospital networks and patient care. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect a device’s performance, functionality and safety to the patient. In recent years, researchers have demonstrated the potential threat of medical device and healthcare system hacking. They have been able to tamper with pacemakers, insulin pumps and other devices, which, if hacked, could cause serious harm, including death, to a patient. Recently, the FDA identified cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and the corresponding Merlin@home Transmitter. These vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. While no patients were harmed, this serves as a warning that similar devices containing configurable embedded computer systems can be vulnerable to cybersecurity intrusions and exploits, as well. To address these technological risks, in December 2016, the FDA finalized the guidance, “Postmarket Management of Cybersecurity in Medical Devices.” In reference to the guidance, Suzanne B. Schwartz, M.D., M.B.A., FDA’s Associate Director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health stated that, “manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.” The new guidance...
Cybersecurity – A Real Threat to Medical Devices

Cybersecurity – A Real Threat to Medical Devices

The FDA is Taking Notice of Medical Device Cybersecurity The FDA just issued a Safety Communication on cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The Hospira Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The pump is mostly used in hospitals, or other acute and non-acute health care facilities, such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures. Unfortunately, it appears that it’s possible to access this pump remotely through a network, allowing unauthorized users to control the pump and change the dosage it delivers. This can potentially harm the patient. While it doesn’t appear that any unauthorized access occurred with this particular product, and Hospira is no longer selling this product, cybersecurity is still a real concern. It will be critical for manufacturers to implement appropriate safeguards now that more and more devices are connecting remotely to healthcare networks. In June 2013, the FDA outlined good practices to follow in Cybersecurity for Medical Devices and Hospital Networks. In this communication, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack. These attacks could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. As products rely more heavily on networked communication, medical device cybersecurity is going to become an even greater concern....
Life Science Cloud Vendor Selection Part 2

Life Science Cloud Vendor Selection Part 2

Technology Strategies to Ensure Benefits and Mitigate Risk Options to Discuss with your Life Science Cloud Vendor Cloud computing is defined to have several deployment models, each of which provides distinct trade-offs which are migrating applications to a cloud environment. NIST defines the cloud deployment models as follows: Private cloud: The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e g , cloud bursting for load-balancing between clouds). Choosing the correct deployment can depend on who needs to access the service, budget and security concerns. Private clouds are the most secure and most expensive. Private clouds allow companies to have isolated sections of a cloud where you can launch resources in a virtual network. You can have complete control over your virtual networking environment and place your backend systems, such as databases or application servers with no Internet access. You can limit...
Cloud Vendor Selection for Life Sciences

Cloud Vendor Selection for Life Sciences

Benefits and Risks of Moving to the Cloud, Including Cloud Vendor Selection Migrating to the Cloud: What are the Benefits? According to the National Institute of Standards and Technology, the cloud is “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Most companies’ IT infrastructure use less than 30% of their capacity. It took years to get the capacity to where it is today, and it takes months to increase capacity. Employing qualified resources to maintain such an infrastructure is difficult and expensive. Cloud providers utilize about 65% of their capacity and can add capacity quickly. In short, cloud providers benefit from economies of scale, which enables them to lower individual usage costs and centralize infrastructure costs. Companies benefit by only paying for what they consume. Companies can increase or decrease their usage rapidly, and can spend less time managing complex IT resources. Not only do efficiency improvements reduce costs, the nature of some costs can change from being capital investment in hardware and infrastructure (CapEx) to a pay-as-you go (OpEx) model. Maximizing IT capacity utilization, improving IT flexibility and responsiveness, and minimizing cost are not the only advantages of the cloud. Collaboration can be one of the most important advantages of cloud computing. Multiple users, from around the world, can collaborate more easily on documents and projects. Because the information is hosted in the cloud, and not on individual computers, business owners can collaborate with external stakeholders in a...