FEATURED PRODUCT: Interpretation of FDA's (QSR) With QSIT references
A
complete compendium to FDA's Quality System Regulation (QSR) with relative
references to FDA's Quality System Inspection Technique (QSIT). Now ONLY $99 (limited time)
Search This Site
Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software
The FDA’s issued a new document for dealing with
cybersecurity: They have a legitimate concern for worrying about threats
resulting from viruses and worms that can cause havoc on a network.
The problems we are faced with today stemming from viruses and worms directed at
disrupting or destroying healthcare networks are very serious. This comes on the
eve of rapid transition from conventional radiology-related capture methods to
the growing digital Picture Archiving and Communications Systems (or PACS).
Entire departments are being converted to digital imaging and reporting.
Archived images are being scanned and stored on computer drives. And diagnosis
is being conducted from these same computer systems. It is not inconceivable
that a virus or worm can makes it’s way into such systems that can result in the
destruction and hence the loss of critical information.
Overall, the hospitals are furious at the slow reaction of manufacturers to
incorporate patches and other mitigating workarounds. They’ve asked the FDA to
step in and referee this ongoing battle.
To deal with this threat the FDA has issued a document on cybersecurity that
strives to answer specific questions on the issue. One of the more important
questions is one of responsibility. The FDA makes it clear that the manufacturer
is responsible. The FDA goes on to mention that threats should be addressed
directly to the manufacturer. This obligation falls under the quality system
regulation under 21 CFR 820.100.
One of the biggest concerns manufacturers have regarding implementing changes
(or patches) to their software is that of validation. However, the FDA makes it
clear that you will need to validate any patches that you implement (21 CFR
820.30(i)). There really isn’t any shortcut. In the long run the device’s safety
and efficacy rely on proper validation. The flip side of the coin is that the
manufacturer doesn’t do anything, or waits until it’s absolutely necessary. The
consequences can be devastating to the industry.
In conclusion the industry making up the manufacturing sector should be
addressing contingency plans on dealing with serious threats. Waiting until the
last possible minute can result in unhappy customers as well as failing
software. We could see a growing trend in marketing where quick patch turnaround
and response play and important part in the decision for hospitals to go with
particular packages.
Though it would be a lot easier for the FDA to say: “…you don’t need to validate
software….following a patch.” In the end the manufacturers would gain to lose.
For it is with validation that you demonstrate that your product is safe and
effective.
Site Map »
Media package available for advertisers looking to advertise on this site.