Medical Device (MD) and in vitro diagnostics (IVD) cybersecurity have become a major consideration. We regularly hear about healthcare institutions and devices being hacked. There can be a tendency to treat cybersecurity as an afterthought or a simple check box to complete prior to submission. Over my years in product development and now assisting clients, I have witnessed how the rigor behind achieving a secure device has matured. We have now entered an expectation of a “defense in depth” process approach to keeping our devices and our healthcare institutions secure.
One way to think about MD and IVD cybersecurity is to think about your device entering a community. In a community, we all need to get along and we all need to coordinate our defenses against outside threats. This is why there are layers of guidance and standards addressing different aspects of cybersecurity. This can become a bit confusing. Healthcare institutions are tasked with managing their attack surface. To do this effectively there needs to be a partnership with MD and IVD manufacturers. This partnership involves the manufacturer disclosing important information to the healthcare institutions about the product and about the processes the manufacturer follows post-market (including decommissioning). This partnership involves communicating product cybersecurity capabilities and expectations in the healthcare environment to achieve and maintain a target level of cybersecurity.
Another aspect of cybersecurity pertains to the use of off-the-shelf software. In the old days just about all aspects of software development involved writing custom code. Nowadays a large percentage of software products involve the use of 3rd party software components. The efficiency of the development and quality of the software is greatly enhanced by applying expertise to the various functionalities in the way of dedicated drivers and libraries developed by specialists outside your organization. This is all great but many of these components are for general use and are now being applied to MD and IVD. As a part of the risk management MD and IVD applies, we now need to include cybersecurity. Again, there are now expectations (standards, guidance) on how we monitor our Software Bill of Material (SBOM) for vulnerabilities and keep them up to date.
Being a big fan of context and system perspectives, I’ve put together a white paper to walk through processes intended to satisfy cybersecurity requirements. The intent is to see the forest better while paying attention to the trees. At Qserve we have seen many clients have their timelines setback for having inadequate attention paid to cybersecurity on their devices. The white paper is intended to help regulatory, quality, and product developers adopt a proactive approach to cybersecurity. The goal is to show how to comprehensively align cybersecurity to MD and IVD software processes during and post development. A free webinar with additional clarification is scheduled for 29 August 2023 as well.
Register for free. Our goal here at Qserve is to help you get your safe, effective, and
secure products on the global market!