MedTech Companies – Stay Alert!
Following on from our previous blogs on MedJack and the Importance of cyber security in the MedTech space, our experts have gone beyond advisory and created a short guide to protect your medical devices and digital health products.
Owing to the global IoMT ecosystem's cyber expectations, companies are now aware of the possible threats. The regulators are fastening the seat belts for this journey by introducing mandatory regulatory compliance or guidance, which ensures complete safety for the end-user. Manufacturers are looking at these regulatory requirements and compliance as a step towards marinating effective quality management systems. This is an opportunity to gain digital trust across the entire supply chain and create a competitive benchmark for rapid market growth.
To create a robust system and protected networks, MedTech companies should follow the following recommendations:
- 1. Know your Supply Chain
The manufacturers must have a complete grip and information on the supply chain members. This awareness starts right from product idea formation and goes on until post-market vigilance requirements. Manufacturers should have thorough due diligence requirements and system checks in place, which ensure complete and all-round protection of the connected MedTech Network.
- Know your Global Cyber security and compliance requirements
Any supply of connected medical devices that do not comply with the required global regulatory guidelines is considered non-compliant and may have serious enforcement consequences. It may be an offence or may contravene a civil penalty provision of specific country law.
Throughout the life cycle of connected medical devices, companies need to generate and maintain evidence to demonstrate that cybersecurity-related risks are always considered, evaluated and mitigated. Evidence will be dependent on the nature and risk classification of the connected medical device in the country of sale/creation.
Examples of evidence include Quality Management systems and risk management frameworks that are used to protect the connected health medical device. In many countries, post-market requirements may also require a process for monitoring and managing the ongoing security of the device in the face of emerging vulnerabilities.
Sponsors of medical devices must also have sufficient information to substantiate compliance or have procedures in place with the connected medical device company to allow them to obtain such information and provide this to the regulator if requested.
Do you want to reduce your hassle?
Contact our experts now!
We provide a wide range of Cyber Security Services for Medical Devices, Diagnostics and Digital Health products. We have a bespoke solution for all our clients.
- Know your QMS standards
Connected medical devices are highly variable because of the different components associated to the network. These devices operate in different environments and might require adhering to relevant standards and best practices.
Standards cover pre-market and post-market cyber security requirements and can generally help companies align with regulatory guidelines for connected medical devices' cyber security. Pre-market requirements are largely those that must be taken into consideration during the design and development processes of connected medical devices- and include ISO 14971-concerning the applications of risk management to connected medical devices. Knowing your standards can help companies develop appropriate controls for risk management and risk assessment, including threat assessment (e.g. threat modelling), vulnerability assessment and impact assessment.
- Know your Liabilities and what to do if something goes wrong
In the event of hacking or MedJacking – it might be difficult to ascertain and delegate responsibility between the connected medical device company and the end-user organisations, as the medical device is connected to different sets of networks and systems.
Imagine a scenario where a ransomware attack occurs midway during a surgery, subsequently causing the device to malfunction; or a hacker obtains the ability to shut off pacemakers and threatens to do so unless the hospital pays them off.
Were these harms foreseeable to the connected medical device maker? Would an alternative design have prevented them? Is it the responsibility of the end user or the connected medical device company to address these problems? In the event of a data breach or other cybersecurity event, a product manufacturer, software developer, medical device company, the healthcare provider and perhaps even wireless network providers could each find themselves potentially liable for the compromise of this Patient's protected health information.
Connected medical device companies should take this opportunity to assess their compliance with country-specific regulations and regulatory guidelines, then complete a Risk Management Plan. These steps will help manufacturers assess their own liability risk as more players – among them, software developers, app developers and cloud storage companies - enter the medical device industry.
In addition, a written crisis operation plan on how to respond in the event of a cyber-attack is a pivotal document to have in place. Connected medical device companies should identify internal and external teams to execute this plan and prepare to assess how the company can handle its legal obligations rapidly. Acting quickly after an incident can minimise the damage.
- Know your buyer's priority for connected medical device security
Payers of connected medical devices, such as hospitals, are now asking their information security teams to test and evaluate vendors independent of their acquiring department. Today, some hospitals even insist on receiving up-to-date Manufacturer Disclosure Statement for Medical Device Security documentation as part of the procurement process. As a responsible manufacturer, it is a committed duty to ensure that product performance and safety measures are up to the mark. A minor loophole in the system can cost and affect the lives of end-users/patients.
When the companies and members of the ecosystem unanimously support these measures and practices, the ecosystem will be less vulnerable to cyber threats. Manufacturers need to take more protective measures to protect their creation from cyber attacks and comply with regulatory requirements and conformity. Towards the end, as a responsible member of the ecosystem, Patient's safety and care experience should be the top priority.
Our experts are helping many clients with similar cyber-security support and reducing the regulatory risk arising from different regulatory requirements.
Do you want to protect your medical device, digital health?
Send our experts an email on email@example.com
We are here to be your regulatory risk partners for Medical Devices, Diagnostics and Digital Health!