- Safely and effectively exchanging and using data is the key focus of the recent FDA guide on medical device security and interoperability.
FDA explained that Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices will help the healthcare industry pinpoint “specific considerations related to the ability of electronic medical devices to safely and effectively exchange information and use exchanged information.”
Medical device manufacturers must keep interoperability as a main objective, according to FDA. Furthermore, appropriate verification, validation and risk management activities must be conducted.
Medical device manufacturers should also specify the relevant functional, performance, and interface characteristics to the user.
“Today’s health care providers and their patients are relying more than ever on rapid, secure interactions among different medical devices,” FDA Associate Director for Digital Health Bakul Patel wrote in a blog post. “From electrocardiograms to infusion pumps, medical devices must reliably communicate and operate in concert.”
FDA received numerous comments from the medical device industry, Patel added. The agency worked to create guidance that “provides clarity and recommendations for what information on interoperability should be included in a manufacturer’s premarket submissions.”
“FDA’s first concern, of course, is safety,” Patel maintained. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”
Transparency will also be essential, he stated. Designers and manufacturers need to clearly explain how a product performs and how its interface characteristics function. That way, organizations can ensure that the medical device integrates properly and safely with other systems.
Device malfunction or devices failing to operate can occur when medical devices are improperly connected or used, Patel explained. This can be particularly dangerous in the current healthcare environment, as devices are increasingly being used for patient care.
“In many cases, the consensus standards that support interoperability specify data format, interoperability architecture design, or other aspects associated with interoperability,” Patel wrote. “FDA recognizes the benefits of relying on published consensus standards in the design of medical devices.”
“Accordingly, FDA has recognized numerous consensus standards relevant to the development and design of interoperable medical devices and encourages their use.”
Healthcare stakeholders – including providers and device manufacturers – need to keep medical device cybersecurity a top priority as they continue to work toward interoperability. Older devices may still be necessary, but could potentially create more data security issues.
Legacy devices are the greatest current cybersecurity challenge, Hogan Lovells FDA Medical Device Partner Yarmela Pavlovic told HealthITSecurity.com in a previous interview.
Some of these devices were released at a time when cybersecurity was not a high priority, and might not have the same security considerations already built in. Devices that weren’t intended to be network-connected are sometimes being “jerry-rigged with WiFi connectors or other network connections,” she said.
Assessing risk has become a critical – and standard - part of the pre-market review of all medical devices, Pavlovic continued. Organizations must determine whether there is any sort of connection to outside of the device.
“Then the assessment becomes focused primarily on whether the company – the manufacturer of the product – has assessed the potential for cybersecurity vulnerability and risk and how they have chosen to mitigate those risks,” she said. “Two years ago you could submit a new product application and not mention cybersecurity, and occasionally you would get questions. Now, it will be a question that FDA asks in every instance.”
FDA also finalized its post-market guidance toward the end of 2016, which established a risk-based framework for assessing changes in medical device cybersecurity. That guidance also reviews how changes should be reported or handled so devices do not keep cybersecurity vulnerabilities in place once they’re identified.
“For medical devices that require FDA clearance or approval prior to marketing, every time you change that product after the first marketing authorization is granted, as a manufacturer you have to assess whether that triggers the need for a new filing with FDA,” Pavlovic explained. “Do you have to go back and get a new 510(k) or a PMA supplement? You also have to consider whether any changes made to address safety issues trigger recall reporting obligations.”