MDCG 2019-16 – Guidance on cybersecurity for medical devices
MD101 comments in their recent blog the new guidance on cybersecurity for medical devices: the MDCG 2019-16: “This guidance covers a broad range of topics applicable to all stakeholders in the medical device supply chains, and to end-users. It explains a bit why it is 46 pages long.
Section 1 – Introduction
The first section of the guidance draws the link between regulatory requirements and cybersecurity processes / artifacts. The figures 1 & 2 are quite a good synthesis of the MDR requirements covering cybersecurity. Note that these figures could be duplicated with several other topics, like electrical security, biocompatibility (and so on), and state-of-the-art applicable standards.
The topics listed in section 1.4 cover all topics where cybersecurity is involved. This list is very useful to assess where cybersecurity requirements shall be implemented in your QMS processes. E.g: design controls, post-market surveillance.
Section 2 – Basic cyber concepts
If you’ve already read documents like AAMI TIR 57 or the 2 FDA guidances on cybersecurity, you will retrieve in this section some information common to these documents. The novelty in this MDCG guidance is the link between these concepts and the MDR General Safety and Performance Requirements (GSPR).
We also retrieve in this section concepts of defense in depth, good security hygiene (basic security hygiene in FDA guidance), and the relationship between security risks and safety risks.
Another concept is introduced, not so easily found in other guidance: the link between usability engineering and cybersecurity:
[a vulnerability] should be regarded as an enabler of reasonably foreseeable misuse .
If an exploit exists, an user will use it with a probability to assess, linked to the user’s education level and the ease of exploitation based on use scenarios.
The concept of joint responsibility is also introduced. All stakeholders in the supply chain shall take their part of the job: medical device integrators operators, and users. Manufacturers, don’t be fooled by this joint responsibility: as usual, your responsibility will be engaged in case of adverse event. You shall have established processes to ensure the proper installation, deployment, configuration, and exploitation of your devices in a secure manner. Simply said, this joint responsibility doesn’t exonerate manufacturers. Quite the opposite, it engages the responsibility of other stakeholders.
Section 3 – Secure design and manufacture
Section 3 delves into technical details (as far as a guidance can do, it’s not a standard), with a list of good practices to ensure that the device is secure by design. These 6 best practices can be seen as the steps of processes found in IEC 62304 design and maintenance processes:
Security management:
4.1 of ISO 13485, for the security risk management process
5.1 of IEC 62304: Software development plan
6.1 of IEC 62304: Software maintenance
Specification of Security Requirements:
5.2 of IEC 62304: software requirements analysis
Secure by design, including defense in depth:
5.3 of IEC 62304: software architecture
Secure implementation:
5.4 of IEC 62304: software detailed design
5.5 of IEC 62304: software implementation and unit verification
and a precision on SOUP management
Secure Verification and Validation
5.6 of IEC 62304: software integration testing
5.7 of IEC 62304: software system verification
Management of security-related issues
6.2 of IEC 62304: Problem and modification analysis
9 of IEC 62304: Problem resolution
Security update management
6.3 of IEC 62304: Modification implementation
8.2 of IEC 62304: Change control
Security guidelines:
5.8 Software release
and also software documentation, see IEC 82304-1 section 7.
Security Risk management
Section 3.2 continues with recommendations on the security risk management process, especially the link between security risks and their impact on safety. A very important remark is present in this section, for the sake of clarity of safety risk management reports: safety risk assessment might list generic security related hazards (…). This is to avoid detailing every possible attack vector.
This section also insists on the fact that compliance to GSPR 1 to 4 requires to assess security risks. Thus, cybersecurity isn’t nested only in GSPR 17.2 on software, but is promoted to the first main GSPR’s.
Security capabilities
Section 3.3 lists some possible security capabilities for software. This list is absolutely not exhaustive. This is a good starting point, though.
Interestingly, this section also contains an analogy between the precedence of safety mitigation actions (section 6.2 of ISO 14971) and their security risk equivalent. Worth reading!
This section ends with a remark on the need to maintain safety and effectiveness but also performance requirements and efficiency of mitigation actions, with security capabilities. New columns to your risk assessment matrices?”
Please find the complete article here.
Please get in touch with us:
+49-176-57694801
FDA issues Digital Health Innovation Action Plan
On March 26, 2020, the FDA published a paper called “Digital Health Innovation Action Plan” outlining the efforts to reimagine the FDA’s approach to ensuring all Americans have timely access to high-quality, safe, and effective digital health products. As part of this plan, the FDA committed to several key goals:
- Issuing guidance to modernize their policies.
- Increasing the number and expertise of digital health staff at the FDA.
- Developing the Digital Health Software Precertification Pilot Program (“Pre-Cert”).
From mobile medical apps and software that support the clinical decisions doctors make every day to artificial intelligence and machine learning, digital technology has been driving a revolution in health care. Digital health tools have the vast potential to improve our ability to accurately diagnose and treat disease and to enhance the delivery of health care for the individual. Digital tools are giving providers a more holistic view of patient health through access to data and giving patients more control over their health. Digital health offers real opportunities to improve medical outcomes and enhance efficiency.
How Is the FDA Advancing Digital Health?
The FDA’s Center for Devices and Radiological Health (CDRH) has established the Digital Health program, which seeks to better protect and promote public health and provide continued regulatory clarity by:
- Fostering collaborations and enhancing outreach to digital health customers, and
- Developing and implementing regulatory strategies and policies for digital health technologies.
How Are Digital Health Products Used?
Providers and other stakeholders are using digital health technologies in their efforts to:
- Reduce inefficiencies,
- Improve access,
- Reduce costs,
- Increase quality, and,
- Make medicine more personalized for patients.
Patients and consumers can use digital health technologies to better manage and track their health and wellness related activities.
The use of technologies, such as smart phones, social networks, and internet applications, is not only changing the way we communicate, but also providing innovative ways for us to monitor our health and well-being and giving us greater access to information. Together, these advancements are leading to a convergence of people, information, technology, and connectivity to improve health care and health outcomes.
Why Is the FDA Focusing on Digital Health?
Many medical devices now have the ability to connect to and communicate with other devices or systems. Devices that are already FDA approved, authorized, or cleared are being updated to add digital features. New types of devices that already have these capabilities are being explored.
Many stakeholders are involved in digital health activities, including patients, health care practitioners, researchers, traditional medical device industry firms, and firms new to the FDA regulatory requirements, such as mobile application developers.
The following are topics in the digital health field on which the FDA has been working to provide clarity using practical approaches that balance benefits and risks:
- Artificial Intelligence and Machine Learning (AI/ML) in Software as a Medical Device
- Cybersecurity
- Device Software Functions, including Mobile Medical Applications
- Health IT
- Medical Device Data Systems
- Medical Device Interoperability
- Software as a Medical Device (SaMD)
- Telemedicine
- Wireless Medical Devices
Please find the complete FDA article here.
Please get in touch with us for any further support:
+49-176-57694801
EU permits remote notified body audits during pandemic
Medtechdive.com reports that the European Commission’s Medical Device Coordination Group (MDCG) is allowing notified bodies to perform remote audits during the coronavirus outbreak, according to a guidance posted Wednesday. The MDCG detailed how notified bodies can run audits while quarantine orders and travel restrictions are stopping them from conducting site visits. The pandemic-oriented guidance the day after the Council of the European Union responded to the Commission’s proposed delay of the Medical Device Regulation. The Council’s planned amendments to the proposal clear up the confusion over whether the delay applies to all aspects of MDR.
Travel restrictions across the EU are stopping notified bodies from performing the on-site assessments central to their work. Recognizing that threat to the supply of medical devices, MDCG, an advisory group consisting of member state officials and industry players, laid out temporary measures notified bodies can take to work around the restrictions.
In some circumstances, notified bodies may perform remote audits. That option is open to notified bodies that have to carry out surveillance and recertification audits under the device directives, as well as when a manufacturer has filed a change notification or switched to a different notified body.
MDCG developed the guidance primarily to help notified bodies designated under the outgoing device directives. However, the advisory group said the flexibility provided in the guidance may apply to MDR and IVDR “in the event that the availability of devices is affected by COVID-19 restrictions.”
If an audit falls within the scope of the guidance, a notified body can leverage technology to perform a remote assessment. The guidance permits the off-site assessment of documents and records, and use of results from audits run under the Medical Device Single Audit Program, an initiative involving FDA and other regulators outside of the EU.
MDCG expects notified bodies to assess how to make use of the flexibilities provided by the guidance on a case-by-case basis. In doing so, notified bodies should consider the risks of each case, for example by factoring in their experience of the manufacturer and its compliance record.
The group is still developing guidance on the operational implementation of the principles.
Details of the flexibilities available to notified bodies emerged a day after the Council advanced the planned delay of the MDR date of application.
Please find the complete FDA article here.
Please get in touch with us for any further SaMD support:
+49-176-57694801
Software as a Medical Device (SaMD)
Orthogonal.io reports about the emerging trend within the medical device industry: Software as a Medical Device (SaMD). Over the last 40 years, the amount of software used both in and around medical devices has dramatically increased. The last 20 years in particular have seen an acceleration in this trend, thanks to the emergence of the “internet of things” (IoT) and its corresponding parts — smartphones, wireless connectivity, cheaper and better sensors, cloud computing, big data and AI — which are transforming how work gets done across almost every industry.
Please read the full article here
Please get in touch with us for any further support:
+49-176-57694801
Take Control of your Business – Digitize it!
Your Challenge
As a manufacturing manager in the pharmaceutical or medical device industry you are sometimes confronted with fragmented, inconsistent and inaccessible manufacturing operations data – often distributed across paper, spreadsheets, various computer applications, databases and measuring systems. The missing link between multiple legacy systems often causes a lack of manufacturing control and end-to-end visibility. On the other hand, you are facing many challenges, including increased competition, cost pressures, regulatory compliance, and patient safety standards, as well as reduced time-to-market. To ensure better and faster production, you are in urgent need for solutions that help to respond to market changes both quickly and appropriately.
Your Solution
Revolutionize your business with a cloud-based Manufacturing Execution System (MES) which is exactly tailored to your needs. Being on the cloud allows you to complete more work. It enables paperless manufacturing, as every piece of information is stored in memory. Business leaders achieve complete visibility and control across varying manufacturing locations at any time and can monitor productivity from any device with Web access. BI data can be accessed instantaneously, so managers are armed with real-time data, optimizing the decision-making process.
How You Benefit
Capitalize on optimized manufacturing processes, constant quality, full regulatory compliance, shortened time-to-production and time-to-market. You get a cost-effective, cloud-based MES solution tailored exactly to your needs. Be assured of full compliance with GxP and FDA procedures. We will provide you with a computer system validation (CSV) package that reduces validation effort and cost and fully supports your Validation Master Plan. On-site IT support and maintenance is not needed, your company can lower personnel costs while improving productivity. Auditing is simplified in the cloud, which speeds up otherwise tedious and complex tasks.
Contact Us
As a long-time partner to the life sciences industry, MedSysCon benefits from many years of experience in providing companies with the right MES software and services to help them achieve operational excellence. MedSysCon stands for reliable, high-quality consulting in the pharmaceutical and medical device field. We combine GxP professional know-how with software development expertise. Our strength origins in experience, expertise and passion for high-quality solutions. We are passionate about supporting you to finish your most challenging projects. Our solutions are custom-made. Profit from a modular, flexible, and scalable MES platform according to your individual needs.