Episode 219
Navigating the MedTech Cybersecurity Ecosystem
Cybersecurity continues to be a crucial concern for medical device safety and effectiveness in the US, for manufacturers and regulators alike.
In this episode of the Global Medical Device Podcast Jon Speer talks to Mike Drues from Vascular Sciences about the opportunities and challenges associated with medical device cybersecurity. Listen as Mike and Jon share their thoughts on the potential ways to eliminate or reduce cyber threats and encourage better cybersecurity practices for medical devices.
Some highlights of this episode include:
- Cybersecurity is an important topic, but why is the FDA concerned about it? It’s important not to over-generalize.
- For example, identity theft may involve a physical medical device or Software as a Medical Device (SaMD). With that, a person’s personal information such as their credit card number could be stolen. Should not be the FDA’s concern.
- What about patient privacy? Personal health information or confidential electronic health records are a HIPAA matter - not the FDA’s concern.
- Cybersecurity related to the safety and efficacy of a medical device, however, is the FDA’s concern. Safety and efficacy of medical devices is part of FDA’s Center for Devices and Radiological Health (CDRH) mission.
- Some have seen in the popular press or been told the urban legend around cybersecurity concerns for implantable devices, such as insulin pumps, pacemakers, catheters, and angioplasty (a.k.a. the Johnny Carson Procedure).
- NIST’s call for position papers/statements covered five areas:
- Criteria for designating critical software.
- Initial list of secure software development lifecycle standards, best practices, and other acceptable guidelines.
- Guidelines outlining security measures that will be applied to the federal government’s use of critical software.
- Initial minimum requirements for testing software source code.
- Guidelines for software integrity chains and provenance.
- The categories above are not new and don’t really relate to cybersecurity. These should be standard operating procedures for companies developing products where cybersecurity and software is applicable.
- How to minimize or avoid cybersecurity concerns? Join boards/committees to create standards, and determine if there’s a legitimate reason to connect to the internet and communicate with the outside world.
Memorable Quotes from this episode:
“Safety and efficacy of medical devices is at least a paraphrase of part of the FDA - CDRH mission.” Jon Speer
“If there’s a cybersecurity concern that could affect the safety of the device, that is something that FDA could and should be, quite frankly, concerned about.” Mike Drues
“I’m a big fan of using regulatory logic.” Mike Drues
“None of this is new. These should be standard operating procedures for companies that are developing products where cybersecurity and software is applicable.” Jon Speer
Links:
FDA lays out device cybersecurity efforts as feds look to implement Biden executive order
Health Insurance Portability and Accountability Act (HIPAA)
FDA - Center for Devices and Radiological Health (CDRH)
U.S. Department of Health and Human Services (HHS)
The Terrorist Hack that Shocked America – and Why it Matters (Homeland Episode)
Johnny Carson Procedure (Angioplasty)
International Organization for Standardization (IOS)
ASTM International - Standards Worldwide
Underwriters Laboratories (UL)
Mike Drues of Vascular Sciences on LinkedIn
Global Medical Device Podcast, Episode 164: What is a multiple function device?
The Greenlight Guru True Quality Virtual Summit
MedTech True Quality Stories Podcast