• MORE ARTICLES

• Knowledgebase

• Interpret FDA's QSR

• Find Regulatory Requirements for your country
• GHTF
• Validation Requirements
• Medical Device Software
• Sterilization

• FDA Requirements
• European Union Requirements
• Canadian Requirements

Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software –

There is no shortcut

The FDA’s issued a new document for dealing with cybersecurity:  They have a legitimate concern for worrying about threats resulting from viruses and worms that can cause havoc on a network.

The problems we are faced with today stemming from viruses and worms directed at disrupting or destroying healthcare networks are very serious.  This comes on the eve of rapid transition from conventional radiology-related capture methods to the growing digital Picture Archiving and Communications Systems (or PACS). 

Entire departments are being converted to digital imaging and reporting.  Archived images are being scanned and stored on computer drives.  And diagnosis is being conducted from these same computer systems.  It is not inconceivable that a virus or worm can makes it’s way into such systems that can result in the destruction and hence the loss of critical information.

Overall, the hospitals are furious at the slow reaction of manufacturers to incorporate patches and other mitigating workarounds.  They’ve asked the FDA to step in and referee this ongoing battle. 

To deal with this threat the FDA has issued a document on cybersecurity that strives to answer specific questions on the issue.  One of the more important questions is one of responsibility. The FDA makes it clear that the manufacturer is responsible.  The FDA goes on to mention that threats should be addressed directly to the manufacturer.  This obligation falls under the quality system regulation under 21 CFR 820.100. 

One of the biggest concerns manufacturers have regarding implementing changes (or patches) to their software is that of validation.  However, the FDA makes it clear that you will need to validate any patches that you implement (21 CFR 820.30(i)).  There really isn’t any shortcut.  In the long run the device’s safety and efficacy rely on proper validation.  The flip side of the coin is that the manufacturer doesn’t do anything, or waits until it’s absolutely necessary.  The consequences can be devastating to the industry.

In conclusion the industry making up the manufacturing sector should be addressing contingency plans on dealing with serious threats.  Waiting until the last possible minute can result in unhappy customers as well as failing software.  We could see a growing trend in marketing where quick patch turnaround and response play and important part in the decision for hospitals to go with particular packages.

For it is with validation that you demonstrate that your product is safe and effective.

End of article.