Episode 219  |  31:08 min  |  07.12.2021

Navigating the MedTech Cybersecurity Ecosystem

00:00
00:00
This is a podcast episode titled, Navigating the MedTech Cybersecurity Ecosystem. The summary for this episode is: <p>Cybersecurity continues to be a crucial concern for medical device safety and effectiveness in the US, for manufacturers and regulators alike.</p><p>In this episode of the Global Medical Device Podcast Jon Speer talks to Mike Drues from Vascular Sciences about the opportunities and challenges associated with medical device cybersecurity. Listen as Mike and Jon share their thoughts on the potential ways to eliminate or reduce cyber threats and encourage better cybersecurity practices for medical devices.</p><h3><strong>Some highlights of this episode include:</strong></h3><ul><li>Cybersecurity is an important topic, but why is the FDA concerned about it? It’s important not to over-generalize.</li><li>For example, identity theft may involve a physical medical device or Software as a Medical Device (SaMD). With that, a person’s personal information such as their credit card number could be stolen. Should not be the FDA’s concern.</li><li>What about patient privacy? Personal health information or confidential electronic health records are a HIPAA matter - not the FDA’s concern.</li><li>Cybersecurity related to the safety and efficacy of a medical device, however, is the FDA’s concern.&nbsp; Safety and efficacy of medical devices is part of FDA’s Center for Devices and Radiological Health (CDRH) mission.</li><li>Some have seen in the popular press or been told the urban legend around cybersecurity concerns for implantable devices, such as insulin pumps, pacemakers, catheters, and angioplasty (a.k.a. the Johnny Carson Procedure).</li><li>NIST’s call for position papers/statements covered five areas:</li><li>Criteria for designating critical software.</li><li>Initial list of secure software development lifecycle standards, best practices, and other acceptable guidelines.</li><li>Guidelines outlining security measures that will be applied to the federal government’s use of critical software.</li><li>Initial minimum requirements for testing software source code.</li><li>Guidelines for software integrity chains and provenance.</li><li>The categories above are not new and don’t really relate to cybersecurity. These should be standard operating procedures for companies developing products where cybersecurity and software is applicable.</li><li>How to minimize or avoid cybersecurity concerns? Join boards/committees to create standards, and determine if there’s a legitimate reason to connect to the internet and communicate with the outside world.</li></ul><h3><strong>Memorable Quotes from this episode:</strong></h3><p><em>“Safety and efficacy of medical devices is at least a paraphrase of part of the FDA - CDRH mission.” </em>Jon Speer</p><p><em>“If there’s a cybersecurity concern that could affect the safety of the device, that is something that FDA could and should be, quite frankly, concerned about.” </em>Mike Drues</p><p><em>“I’m a big fan of using regulatory logic.” </em>Mike Drues</p><p><em>“None of this is new. These should be standard operating procedures for companies that are developing products where cybersecurity and software is applicable.” </em>Jon Speer</p><h3><strong>Links:</strong></h3><p><a href="https://www.medtechdive.com/news/fda-lays-out-device-cybersecurity-efforts-as-feds-look-to-implement-biden-e/601524/" rel="noopener noreferrer" target="_blank">FDA lays out device cybersecurity efforts as feds look to implement Biden executive order</a></p><p><a href="https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/workshop-and-call-position-papers" rel="noopener noreferrer" target="_blank">Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security</a></p><p><a href="https://www.fda.gov/media/149954/download" rel="noopener noreferrer" target="_blank">Response to NIST Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security</a></p><p><a href="https://www.hhs.gov/hipaa/for-professionals/index.html" rel="noopener noreferrer" target="_blank">Health Insurance Portability and Accountability Act (HIPAA)</a></p><p><a href="https://www.fda.gov/about-fda/fda-organization/center-devices-and-radiological-health" rel="noopener noreferrer" target="_blank">FDA - Center for Devices and Radiological Health (CDRH)</a></p><p><a href="https://www.hhs.gov/" rel="noopener noreferrer" target="_blank">U.S. Department of Health and Human Services (HHS)</a></p><p><a href="https://www.cnbc.com/id/100306578" rel="noopener noreferrer" target="_blank">The Terrorist Hack that Shocked America – and Why it Matters (Homeland Episode)</a></p><p><a href="https://www.sun-sentinel.com/news/fl-xpm-1999-03-25-9903250167-story.html" rel="noopener noreferrer" target="_blank">Johnny Carson Procedure (Angioplasty)</a></p><p><a href="https://www.algore.com/" rel="noopener noreferrer" target="_blank">Al Gore</a></p><p><a href="https://www.iso.org/home.html" rel="noopener noreferrer" target="_blank">International Organization for Standardization (IOS)</a></p><p><a href="https://www.astm.org/" rel="noopener noreferrer" target="_blank">ASTM International - Standards Worldwide</a></p><p><a href="https://www.ul.com/" rel="noopener noreferrer" target="_blank">Underwriters Laboratories (UL)</a></p><p><a href="https://www.linkedin.com/in/michaeldrues" rel="noopener noreferrer" target="_blank">Mike Drues of Vascular Sciences on LinkedIn</a></p><p><a href="https://www.greenlight.guru/blog/multiple-function-device" rel="noopener noreferrer" target="_blank">Global Medical Device Podcast, Episode 164: What is a multiple function device?</a></p><p><a href="https://www.greenlight.guru/academy" rel="noopener noreferrer" target="_blank">Greenlight Guru Academy</a></p><p><a href="https://virtual-summit.greenlight.guru/" rel="noopener noreferrer" target="_blank">The Greenlight Guru True Quality Virtual Summit</a></p><p><a href="https://www.greenlight.guru/podcast-mtqs" rel="noopener noreferrer" target="_blank">MedTech True Quality Stories Podcast</a></p><p><a href="https://www.youtube.com/channel/UCYfQsPqHW8H8mZ4xpM4gn1Q" rel="noopener noreferrer" target="_blank">Greenlight Guru YouTube Channel</a></p><p><a href="https://www.greenlight.guru/" rel="noopener noreferrer" target="_blank">Greenlight Guru</a></p>

Cybersecurity continues to be a crucial concern for medical device safety and effectiveness in the US, for manufacturers and regulators alike.

In this episode of the Global Medical Device Podcast Jon Speer talks to Mike Drues from Vascular Sciences about the opportunities and challenges associated with medical device cybersecurity. Listen as Mike and Jon share their thoughts on the potential ways to eliminate or reduce cyber threats and encourage better cybersecurity practices for medical devices.

Some highlights of this episode include:

  • Cybersecurity is an important topic, but why is the FDA concerned about it? It’s important not to over-generalize.
  • For example, identity theft may involve a physical medical device or Software as a Medical Device (SaMD). With that, a person’s personal information such as their credit card number could be stolen. Should not be the FDA’s concern.
  • What about patient privacy? Personal health information or confidential electronic health records are a HIPAA matter - not the FDA’s concern.
  • Cybersecurity related to the safety and efficacy of a medical device, however, is the FDA’s concern.  Safety and efficacy of medical devices is part of FDA’s Center for Devices and Radiological Health (CDRH) mission.
  • Some have seen in the popular press or been told the urban legend around cybersecurity concerns for implantable devices, such as insulin pumps, pacemakers, catheters, and angioplasty (a.k.a. the Johnny Carson Procedure).
  • NIST’s call for position papers/statements covered five areas:
  • Criteria for designating critical software.
  • Initial list of secure software development lifecycle standards, best practices, and other acceptable guidelines.
  • Guidelines outlining security measures that will be applied to the federal government’s use of critical software.
  • Initial minimum requirements for testing software source code.
  • Guidelines for software integrity chains and provenance.
  • The categories above are not new and don’t really relate to cybersecurity. These should be standard operating procedures for companies developing products where cybersecurity and software is applicable.
  • How to minimize or avoid cybersecurity concerns? Join boards/committees to create standards, and determine if there’s a legitimate reason to connect to the internet and communicate with the outside world.

Memorable Quotes from this episode:

“Safety and efficacy of medical devices is at least a paraphrase of part of the FDA - CDRH mission.” Jon Speer

“If there’s a cybersecurity concern that could affect the safety of the device, that is something that FDA could and should be, quite frankly, concerned about.” Mike Drues

“I’m a big fan of using regulatory logic.” Mike Drues

“None of this is new. These should be standard operating procedures for companies that are developing products where cybersecurity and software is applicable.” Jon Speer

Links:

FDA lays out device cybersecurity efforts as feds look to implement Biden executive order

Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security

Response to NIST Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security

Health Insurance Portability and Accountability Act (HIPAA)

FDA - Center for Devices and Radiological Health (CDRH)

U.S. Department of Health and Human Services (HHS)

The Terrorist Hack that Shocked America – and Why it Matters (Homeland Episode)

Johnny Carson Procedure (Angioplasty)

Al Gore

International Organization for Standardization (IOS)

ASTM International - Standards Worldwide

Underwriters Laboratories (UL)

Mike Drues of Vascular Sciences on LinkedIn

Global Medical Device Podcast, Episode 164: What is a multiple function device?

Greenlight Guru Academy

The Greenlight Guru True Quality Virtual Summit

MedTech True Quality Stories Podcast

Greenlight Guru YouTube Channel

Greenlight Guru

More Episodes

eQMS in Academia: Practical Learning for Biomedical Engineering Students

Tips for Running Better Management Reviews

Meet a Guru: Ryan Behringer

Managing Clinical Data Activities

Explaining the Role of Importer under EU MDR

Preparing Your Pre-Submission with the Content FDA Wants to See