regulatory and quality system professionals | 919.313.3960
Cybersecurity – A Real Threat to Medical Devices

Cybersecurity – A Real Threat to Medical Devices

The FDA is Taking Notice of Medical Device Cybersecurity The FDA just issued a Safety Communication on cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The Hospira Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The pump is mostly used in hospitals, or other acute and non-acute health care facilities, such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures. Unfortunately, it appears that it’s possible to access this pump remotely through a network, allowing unauthorized users to control the pump and change the dosage it delivers. This can potentially harm the patient. While it doesn’t appear that any unauthorized access occurred with this particular product, and Hospira is no longer selling this product, cybersecurity is still a real concern. It will be critical for manufacturers to implement appropriate safeguards now that more and more devices are connecting remotely to healthcare networks. In June 2013, the FDA outlined good practices to follow in Cybersecurity for Medical Devices and Hospital Networks. In this communication, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack. These attacks could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. As products rely more heavily on networked communication, medical device cybersecurity is going to become an even greater concern....
Avoid Common Medical Device Software Development Life Cycle Pitfalls

Avoid Common Medical Device Software Development Life Cycle Pitfalls

Learn Potential Software Development Life Cycle Pitfalls to Pay Attention To IEC 62304 is the international standard that defines software development life cycle requirements for medical device software. IEC 62304 was developed from the perspective that product testing alone is insufficient to ensure patient safety. It provides a common framework for medical device manufacturers to develop software components. Conformance with this standard demonstrates that there is a software development process in place that fulfills the requirements of the Medical Device Directive. If your medical device has software that regulates its functionality in a way that contributes to Basic Safety or Essential Performance, then you will need to comply with IEC 62304. This standard requires all aspects of the Software Development Life Cycle (SDLC) to be managed to ensure patient safety, including: Development and code reviews Risk management Configuration management Incident and bug resolution Validation Maintenance The most common mistake medical device manufacturers make is failing to assess which elements of risk their software mitigates. These are the elements that must be addressed by IEC 62304. For example, what would happen if the creator of a hoist didn’t properly vet the software that signaled the hoist to lower the patient at a certain speed? If a patient were lowered too quickly – or not at all – there would be a risk management nightmare. Since software plays a role in the Basic Safety functions of the hoist, it must comply with 62304’s requirements. Common software functionality manufacturers fail to recognize as IEC 62304 compliance issues include: Alarms and Alerts – often an Essential Performance requirement because they are intended to detect abnormalities Speed & Position...
FDA Issues Final Guidance on Reusable Medical Devices

FDA Issues Final Guidance on Reusable Medical Devices

Endoscopes Linked to “Superbugs” Lead to New FDA Guidance for Reusable Medical Devices UPDATE The FDA has released the slides from their presentation on Reprocessing Medical Devices. Get the slides here. In light of the fatal “superbugs” that have been plaguing hospitals after using endoscopes, the FDA has released new guidance for reusable medical devices. While the risk of getting an infection of this type is low, there is still a risk. With that in mind, the FDA has updated their thinking with the release of Reprocessing Medical Devices in Health Care Settings. The FDA is also intending on putting together an advisory panel to review and discuss the transmission of “superbug” infections via endoscopy procedures. The purpose of the panel is to seek expert scientific and clinical opinion related to reprocessing of duodenoscopes and other endoscopes, as well as automated endoscope reprocessors, based on available scientific information. The committee will make recommendations on: The effectiveness of cleaning, high level disinfection, and sterilization methods; the amount and type of premarket validation data and information needed to support labeling claims and technical instructions; the appropriate use of other risk mitigations, such as surveillance cultures; best practices and guidelines for 3 reprocessing duodenoscopes and endoscopes at user facilities to minimize the transmission of infections; and recommended approaches for ensuring patient safety during ERCP procedures, including a discussion of appropriate patient selection. It will be interesting to note how the regulations will adapt to meet the needs of patients with the increase in antibiotic-resistant...
Don’t Forget Safety Testing and the Value of Risk Management!

Don’t Forget Safety Testing and the Value of Risk Management!

Establish the Safety of Your Medical Device with IEC 60601 Compliance In our experience, the most frequently forgotten aspect of medical device development and commercialization from emerging companies is establishing a safety profile of a product. While clinical data or clinical trials may be necessary for establishing safety for some products, many Class II devices that follow a 510(k) clearance pathway require minimal, if any, clinical data to support safety claims. Once the need for clinical data is either planned for or eliminated, establishing the safety of a medical device through additional testing tends to be less of a priority. Depending on the technology incorporated into your medical device, applicable safety standards need to be identified during the design stages of the product. The most widely accepted benchmark for establishing safety for electrical medical devices is a standard called IEC60601-1, where compliance has become an acceptable means for satisfying electrical safety requirements for the commercialization of electrical medical devices in the European Union. 60601-1 has undergone revision recently. The third edition is enforced now in the EU and the second Edition is currently applicable in the U.S. The FDA will require the use of the third Edition of the standard for new devices as of June 30, 2013. In this new edition of the standard, there is strong emphasis on risk assessment, ISO 14971 and, in the U.S, a focus on device usability as an important factor contributing to the safety of the device. Product testing to 60601-1 is a very technical exercise that involves laboratory testing against the standard by a test house, such as Underwriters Laboratories. If...
Implement 21 CFR Part 820 Controls Early On

Implement 21 CFR Part 820 Controls Early On

Benefits and Risks of Moving to the Cloud Migrating to the Cloud: What are the Benefits? According to the National Institute of Standards and Technology, the cloud is “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Most companies’ IT infrastructure use less than 30% of their capacity. It took years to get the capacity to where it is today, and it takes months to increase capacity. Employing qualified resources to maintain such an infrastructure is difficult and expensive. Cloud providers utilize about 65% of their capacity and can add capacity quickly. In short, cloud providers benefit from economies of scale, which enables them to lower individual usage costs and centralize infrastructure costs. Companies benefit by only paying for what they consume. Companies can increase or decrease their usage rapidly, and can spend less time managing complex IT resources. Not only do efficiency improvements reduce costs, the nature of some costs can change from being capital investment in hardware and infrastructure (CapEx) to a pay-as-you go (OpEx) model. Maximizing IT capacity utilization, improving IT flexibility and responsiveness, and minimizing cost are not the only advantages of the cloud. Collaboration can be one of the most important advantages of cloud computing. Multiple users, from around the world, can collaborate more easily on documents and projects. Because the information is hosted in the cloud, and not on individual computers, business owners can collaborate with external stakeholders in a secure environment with nothing...