Navigating Regulatory Issues for Medical Device Software

Similar documents
Medical Device Cybersecurity: FDA Perspective

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Consideration of Cybersecurity vs Safety Risk Management

FDA & Medical Device Cybersecurity

Cyber Risk and Networked Medical Devices

Below we ve highlighted several of the key points from the final guidance document.

FDA CDRH perspective on new technologies in inhaler products

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Secrets of successful medical device connectivity. Agenda 4/5/17. * The secrets:

Comprehensive Cyber Security Risk Management: Know, Assess, Fix

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

HIPAA Security and Privacy Policies & Procedures

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, MD 20852

Medical Device Cybersecurity A Marriage of Safety and Security

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Cyber Security for Process Control Systems ABB's view

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

April 28, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, MD 20852

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

Cybersecurity and Hospitals: A Board Perspective

Internet of Things Toolkit for Small and Medium Businesses

Sparta Systems TrackWise Digital Solution

Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

Sparta Systems Stratas Solution

JUST WHAT THE DOCTOR ORDERED: A SOLUTION FOR SMARTER THERAPEUTIC DEVICES PLACEHOLDER IMAGE INNOVATORS START HERE.

Managing Medical Device Cybersecurity Vulnerabilities

MDISS Webinar. Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Addressing the elephant in the operating room: a look at medical device security programs

Navigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing

The Next Frontier in Medical Device Security

Center for Devices and Radiological Health Premarket Approval Application Critical to Quality

Sparta Systems TrackWise Solution

Altius IT Policy Collection Compliance and Standards Matrix

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

Standard: Risk Assessment Program

I. The Medical Technology Industry s Cybersecurity Efforts and Requirements

Just How Vulnerable is Your Safety System?

Regulatory Aspects of Digital Healthcare Solutions

Recommendations for Implementing an Information Security Framework for Life Science Organizations

The NIST Cybersecurity Framework

IoT & SCADA Cyber Security Services

SECURITY & PRIVACY DOCUMENTATION

Standard CIP 007 3a Cyber Security Systems Security Management

Designing and Building a Cybersecurity Program

Google Cloud & the General Data Protection Regulation (GDPR)

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Medical device security The transition from patient privacy to patient safety

CYBERSECURITY OF MEDICAL DEVICES AND UL 2900

Comprehensive Mitigation

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Security analysis and assessment of threats in European signalling systems?

DOD Medical Device Cybersecurity Considerations

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

What It Takes to be a CISO in 2017

Checklist: Credit Union Information Security and Privacy Policies

Standard CIP Cyber Security Systems Security Management

MEDICAL APPS AND DEVICES THE CONVERGENCE OF FDA, FTC, AND STATE AND FEDERAL REGULATION

Security and Privacy Governance Program Guidelines

Protecting productivity with Industrial Security Services

Medical Device Usability

UDI Requirements and Resources

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Design Considerations and Premarket. Recommendations for Interoperable Medical Devices Guidance for Industry and Food and Drug Administration Staff

Future-Proof Security & Privacy in IoT

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

EXHIBIT A. - HIPAA Security Assessment Template -

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Altius IT Policy Collection Compliance and Standards Matrix

Medical Device Vulnerability Management

This is a preview - click here to buy the full publication

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Policy and Procedure: SDM Guidance for HIPAA Business Associates

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Electronic Communication of Personal Health Information

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Accelerate GDPR compliance with the Microsoft Cloud

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Standard CIP 007 4a Cyber Security Systems Security Management

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Procurement Language for Supply Chain Cyber Assurance

An Update on the Activities and Progress of the mhealth Regulatory Coalition Prepared for the 2011 Medical Device Connectivity Conference

Juniper Vendor Security Requirements

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

LBI Public Information. Please consider the impact to the environment before printing this.

Webcast title in Verdana Regular

The simplified guide to. HIPAA compliance

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

01.0 Policy Responsibilities and Oversight

HIPAA Compliance & Privacy What You Need to Know Now

Clinical Information Security Pre-Purchase Security Assessment Vendor Packet Instructions

Standard CIP Cyber Security Systems Security Management

HPH SCC CYBERSECURITY WORKING GROUP

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

External Supplier Control Obligations. Cyber Security

MassMEDIC s 21st Annual Conference

Transcription:

Navigating Regulatory Issues for Medical Device Software Michelle Jump, MS, MSRS, CHA Principal Regulatory Affairs Specialist Stryker Corporation IEEE Symposium on Software Reliability Engineering (Ottawa, ON) October 24, 2016

Many Issues to Consider Is my device made up solely of software? Does my device connect to a network? Is it a mobile app or use a mobile app as an accessory? What do regulators want to see for security? Does my device handle protected health information? 2

How might it impact me? What is changing? How should I prepare? Changes to Software Classification & MDDS Cybersecurity 3

Changes to Medical Device Software 4

Software Modifications What is changing? FDA has released guidance clarifying when to submit 510(k)s for software modification Previous FDA guidance (K-97) gave little specific guidance on software Result: lots of extra 510(k) When is a change to software considered significantly affecting safety or effectiveness? (21 CFR 807.81(a)(3)) http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm514737.pdf 5

Software Modifications Fundamentals Uses Risk Based Analysis to determine whether a change is significant 1. Add or modify an existing hazard? 2. Add or modify and existing cause? 3. Add or modify and existing mitigation? Could significantly affect evaluation and the role of testing Focus on known risks and outcome of testing Unintended consequences of changes Need to think about this but decisions based on planned changes 6

7

8

9

Software Modification How might it impact me? Clarify when to submit a 510(k) expect significant reduction More clear decisions on impact of software changes: based on standard risk management practices Allow for better management of changes in field Companion consideration: Distinguishing Medical Device Recalls from Enhancements (http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocume nts/ucm418469.pdf) 10

MDDS How should I prepare? Plan software architecture: no spaghetti code Be clear about functions of specific sections of code so risk of changes is clear Good risk management foundation to clearly assess and document risks: ISO 14971 is your friend 11

Classification and MDDS 12

Regulatory Strategy 101 for Connected Devices Historically: A Medical Device and its Accessories= a system Everything is grouped, cleared, and assessed as a system Connected Devices force a break in that mold Lines must be drawn between the device and the network/other devices Still must address the risks and functional needs of the connected environment The Snowflake Challenge: If you ve seen one hospital, then you ve seen one hospital. Hospitals McDonalds Identifying representative use environments is nearly impossible for many devices 13

MDDS: A useful tool Medical Device Data Systems (MDDS) are a unique product type Medical Device Data Systems (MDDS) are hardware or software products that transfer, store, convert formats, and display medical device data. DATA An MDDS does not modify the data or modify the display of the data, and it does not by itself control the functions or parameters of any other medical device. 14

MDDS What is changing? MDDS are now under enforcement discretion so FDA does not actively regulate (previously Class 1) No QS No registration and listing No audits No adverse events No recalls No 510(k) http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm401996.pdf 15

MDDS How might it impact me? They can serve as a separation point that defines the border of a medical device not part of the medical device MDDS can transfer command and control information as long as the it does not originate the command MDDS can also serve multiple devices Simplify 510(k) since not part of submission 16

DATA NO MDDS CLOUD MD #2 Medical Device System MD #1 17

DATA NO MDDS CLOUD MD #2 The system grows and things get complicated. MD #1 18

DATA With MDDS CLOUD MD #2 MDDS no current FDA oversight Clearer Boundaries MD #1 19

MDDS How should I prepare? They also serve as defining lines as to the edge of the device. The device stops where the MDDS begins. You still need to show the FDA that the device can interact and serve its function but only as it relates to the function provided to the medical device MDDS are under enforcement discretion meaning that FDA is not enforcing any regulations for these devices. 20

Cybersecurity 21

Cybersecurity What is changing? New Guidance from FDA on both premarket and postmarket Increased focus from regulators, researchers, and users No new regulations expected: Just a cost of doing business 22

Cybersecurity PREMARKET FDA Guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (LINK) Fairly short and high level: 9 pages Structured around NIST Framework: Identify, Protect, Detect, Respond, Recover No 510(k)s for most cybersecurity patches In the 510(k) Hazard Analysis, mitigations, and design considerations Link your controls to the risks Provide PLAN FOR SOFTWARE UPDATES (new expectation outside basic design, V&V, risk) Summary of how you plan to keep malware out of your released software until transferred to customer IFU: describe security controls for the use environment (anti-virus, firewall) 23

Cybersecurity POSTMARKET FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices - Draft (LINK) More depth (25 pg) and includes additional premarket content Multitude of references to 21 CFR Part 820: FDA considers cybersecurity management part of existing regulations Important definitions: Essential Clinical Performance: performance necessary to achieve freedom from unacceptable clinical risk Compensating Controls: safeguard or countermeasure, external to device, used by user in lieu of sufficient controls designed in or to provide supplementary cyber protection; lends defense in depth Cybersecurity Signal: any information which indicate potential for vulnerability or exploit in medical device 24

Cybersecurity POSTMARKET FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices - Draft con t. Focus on vulnerabilities that may permit: unauthorized access, modification, misuse or denial of use, or unauthorized use of info that is stored, accessed, or transferred to an external recipient..or may impact patient safety. Identifying New Vulnerabilities Establish Coordinated Vulnerability Disclosure policy and process: hear from 3 rd parties Joining NH-ISAC: National Health Information Sharing and Analysis Center: share with industry Additional Benefit: Risk Management: both a premarket and postmarket consideration Key consideration: when do you have to address a vulnerability? Does it impacts Essential Clinical Performance? If so, is it controlled? How severe is the impact to health? 25

Cybersecurity POSTMARKET FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices - Draft con t. *FDA will not enforce reporting requirement under 21 CFR part 806 (Corrections and Removals) if all of the following are met (emphasis mine): 1. There are no known serious adverse events or deaths associated with the vulnerability 2. Within 30 days of learning of vulnerability, manufacturer identifies and implements device changes/compensating controls to bring risk to acceptable 3. Manufacturer is a participating member of an ISAO, such as NH-ISAC 26

Cybersecurity How might it impact me? May hear from customers or researchers who scan your device and find a vulnerability FDA submissions under higher scrutiny Ongoing monitoring needed for new vulnerabilities and breaches 27

Cybersecurity How should I prepare? Start with the basics: Follow existing recognized standards such as IEC 80001-2-2 Prepare MDS2 forms: based on security capabilities in IEC 80001-2-2 TIR 57: Principles for medical device security: Risk Management Many other standards cover general security issues (ISO 27000) (http://www.nema.org/standards/pages/manufacturer-disclosure-statement-for-medical-device-security.aspx) 28

Security Capabilities from IEC 80001-2-2 1. Automatic Logoff 2. Audit Controls 3. Authorization 4. Configuration of Security Features 5. Cybersecurity product upgrades 6. Health Data De-identification 7. Data Backup and Disaster recovers 8. Emergency Access 9. Health Data Integrity and Authenticity 10. Malware Detection/Protection 11. Node Authentication 12. Person Authentication 13. Physical Locks 14. Roadmap for 3 rd Party Components in Device Lifecycle 15. System and Application Hardening 16. Security Guidance 17. Health Data Storage Confidentiality 18. Transmission Confidentiality 19. Transmission Integrity 29

In Summary Healthcare will continue to look to technological solutions to bring efficiencies, cost-savings, and telemedicine options to patients Regulators are trying to keep up but it takes time In the interim, it is important to remain vigilant for emerging positions, regulations, and guiding documents to help navigate and plan for the future of the industry 30

Additional Considerations 31

Important Issues to Consider FDA Cybersecurity Guidances FDA Interoperability Guidance Global differences in compliance 32

Interoperability FDA Guidance: Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices - Draft (LINK) Focus on documenting information on the electronic data interfaces List of details provided for each interface, such as purpose, type of data, type of devices intended, method of data transmission, etc. Security and Risk Management Ability of device to handle corrupted data, poor/improper connection, invalid commands, etc List security features V&V: need to assure continue to fulfill intended use; EXAMPLES - testing of ability to handle above situations, validate user interface, verify only authorized users, etc. 33

Interoperability FDA Guidance: Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices - Draft (LINK) Content of 510(k) Device description Details and purpose of each interface, users, specified devices, type of info exchanged, etc Risk analysis Mitigations that are necessary but must be implemented by other parties, analysis of interfaces on the devices, intended connection and effects of those connections on performance Verification and validation Test all limited use case, otherwise test representative case; bulleted list of V&V expectations Labeling Lengthy addition of additions, including purpose of each interface, summary of testing on each interface, specify when interface is meant to control another device, spec for each interface 34

Global Challenges High variability in what is a medical device Software as a Medical Device (SaMD) and Health IT are particularly impacted Growing privacy rules in Europe General Data Protection Regulation poised to replace Data Protection Directive Also, stronger differentiation between privacy and confidentiality than in U.S. European Union is developing new rules for non-medical device Health IT products US is also navigating this issue: See FDASIA report and recent FDA guidance placing lower risk products under enforcement discretion 35

Mobile Medical Applications (FDA Guidance) What is a Mobile Medical App (MMA)? A mobile app that meets the definition of a device and is either: Used as an accessory to a medical device, or Transforms a mobile platform into a regulated medical device Mobile platform: Commercial, off-the-shelf computing platforms that are handheld, i.e. smartphones, tablets Am I an MMA manufacturer? Not if. not making medical device claims for the platform or app (typically healthrelated claims) providing market access to MMAs (itunes, Google play) licensed practitioners who manufacture or alter an MMA 36

Mobile Medical Applications Is my mobile app regulated? List of examples in appendices: mobile apps that are NOT devices mobile apps under enforcement discretion mobile apps that are the focus of FDA right now When does the platform become part of the medical device? An MMA is considered independent of the platform until it uses part of the platform s functionality to achieve its intended use: Sensors Camera Attachments In this case, the platform manufacturer DOES NOT become a medical device manufacturer but the MMA manufacturer must address that functionality in testing, risk assessment, and in specifying acceptable platforms 37

Software as a Medical Device (SaMD) SaMD is defined as software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device (IMDRF) International Medical Device Regulators Forum (IMDRF) has produced a 3 part series of documents that outline key issues for SaMD: 1. Key Definitions 2. Possible Framework for Risk Categories and Considerations 3. Application of Quality Management System 38

Software as a Medical Device (SaMD) Many challenges for regulatory agencies trying to deal with a nonphysical device that is highly technical IMDRF documents intended to help inform the regulators SaMD also poses Quality System challenges for many medical device quality systems that were designed for physical devices, where software often has a side channel of processes: Labeling Design Reviews Risk management Overall documentation 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback