Clinical Login Support Contact Sales
Products

More than a Quality Management System: Tools for the entire MedTech Lifecycle.

Learn More

Featured Capabilities:

Document Management Training Management CAPA Management Audit Management Product Development

Experience the #1 QMS software for medical device companies first-hand. Click through an interactive demo.

View Product Tour

Accelerate development with integrated design control and risk software.

Learn More

Featured Capabilities:

Design Controls Risk Management Risk Intelligence

Schedule a custom demo of Greenlight Guru Product now.

REQUEST A DEMO

Data collection and management designed for MedTech clinical trials.

Learn More

Featured Capabilities:

Electronic Data Capture (EDC) Electronic Case Report Forms (eCRF) Electronic Patient Reported Outcomes (ePRO) Ad-Hoc Data Collection (Cases) Post-Market Surveys Product Add-Ons

Get a personalized demo of Greenlight Guru Clinical today.

Request a Demo
Solutions
Why Us
Customers
Partners
Company
Resources
ROI Report Cover

Calculate Your ROI
Pricing
Request a Demo
Request a Demo

Navigating the MedTech Cybersecurity Ecosystem

Written by: Nick Tippmann
July 12, 2021

GMDP-header-Mike Drues (1)

Cybersecurity continues to be a crucial concern for medical device safety and effectiveness in the US, for manufacturers and regulators alike.

In this episode of the Global Medical Device Podcast Jon Speer talks to Mike Drues from Vascular Sciences about the opportunities and challenges associated with medical device cybersecurity. Listen as Mike and Jon share their thoughts on the potential ways to eliminate or reduce cyber threats and encourage better cybersecurity practices for medical devices.

 

LISTEN NOW:

Like this episode? Subscribe today on iTunes or Spotify.

 

Some highlights of this episode include:

  • Cybersecurity is an important topic, but why is the FDA concerned about it? It’s important not to over-generalize.
  • For example, identity theft may involve a physical medical device or Software as a Medical Device (SaMD). With that, a person’s personal information such as their credit card number could be stolen. Should not be the FDA’s concern.
  • What about patient privacy? Personal health information or confidential electronic health records are a HIPAA matter - not the FDA’s concern.
  • Cybersecurity related to the safety and efficacy of a medical device, however, is the FDA’s concern.  Safety and efficacy of medical devices is part of FDA’s Center for Devices and Radiological Health (CDRH) mission.
  • Some have seen in the popular press or been told the urban legend around cybersecurity concerns for implantable devices, such as insulin pumps, pacemakers, catheters, and angioplasty (a.k.a. the Johnny Carson Procedure).
  • NIST’s call for position papers/statements covered five areas:
    • Criteria for designating critical software.
    • Initial list of secure software development lifecycle standards, best practices, and other acceptable guidelines.
    • Guidelines outlining security measures that will be applied to the federal government’s use of critical software.
    • Initial minimum requirements for testing software source code.
    • Guidelines for software integrity chains and provenance.
  • The categories above are not new and don’t really relate to cybersecurity. These should be standard operating procedures for companies developing products where cybersecurity and software is applicable.
  • How to minimize or avoid cybersecurity concerns? Join boards/committees to create standards, and determine if there’s a legitimate reason to connect to the internet and communicate with the outside world.

 

Links:

FDA lays out device cybersecurity efforts as feds look to implement Biden executive order

Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security

Response to NIST Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security

Health Insurance Portability and Accountability Act (HIPAA)

FDA - Center for Devices and Radiological Health (CDRH)

U.S. Department of Health and Human Services (HHS)

The Terrorist Hack that Shocked America – and Why it Matters (Homeland Episode)

Johnny Carson Procedure (Angioplasty)

International Organization for Standardization (IOS)

ASTM International - Standards Worldwide

Underwriters Laboratories (UL)

Mike Drues of Vascular Sciences on LinkedIn

Global Medical Device Podcast, Episode 164: What is a multiple function device?

Cybersecurity for Medical Devices: Best Practices from Regulatory Standards

Greenlight Guru Academy

The Greenlight Guru True Quality Virtual Summit

MedTech True Quality Stories Podcast

Greenlight Guru YouTube Channel

Greenlight Guru

 

Memorable quotes from this episode: 

“Safety and efficacy of medical devices is at least a paraphrase of part of the FDA - CDRH mission.” Jon Speer

“If there’s a cybersecurity concern that could affect the safety of the device, that is something that FDA could and should be, quite frankly, concerned about.” Mike Drues

“I’m a big fan of using regulatory logic.” Mike Drues

“None of this is new. These should be standard operating procedures for companies that are developing products where cybersecurity and software is applicable.” Jon Speer

 

Transcription:

Announcer: Welcome to the Global Medical Device podcast, where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge direct from some of the world's leading medical device experts and companies.

Jon Speer: How excited are you about the topic of cybersecurity? I know it's one of those things. Like maybe it applies to you, maybe it doesn't, but nonetheless, there's a lot of publicity. There's a lot of stories about this, a lot of different angles. For example, recently the National Institute of standards and technology put out a call for position papers on the topic. FDA has come out with a position paper on the topic. So joining me on this episode of the Global Medical Device podcast is Mike Drues with Vascular Sciences and we unpack cybersecurity a little bit. We even propose some thoughts and ideas on ways to potentially even eliminate the idea of cybersecurity from your medical device. So enjoy this episode of the Global Medical Device podcast. Hello and welcome to the global medical device podcast. This is your host and founder at Greenlight Guru, Jon Speer. Joining me today is familiar voice and should be familiar face on the Global Medical Device podcast. Since we've added video is Mike Drues from Vascular Sciences. So Mike welcome.

Mike Drues: Thank you, Jon.

Jon Speer: Lately, there was an article, I think you sent it to me the other day and it was intriguing to me. I'll just read the title and then we'll dive into the topic. But the title of the article states," FDA lays out device cybersecurity efforts as feds look to implement the Biden Executive Order." And I guess the first question that comes to mind, not to sound obvious here, but why is cybersecurity such a hot topic?

Mike Drues: That's a great question, Jon, and as always, thanks for the opportunity to talk about this important topic with you and your audience today. Jon, let's actually take a half a step back even from that question and ask a question that I sometimes get from some of my customers in this area. Why is FDA concerned about cybersecurity? Is it within even FDA's authority to be concerned about cybersecurity? Cybersecurity, Jon, is a very broad topic and I think like a lot of the other topics that we talk about, it's important not to over- generalize. So let me give you a couple of quick examples, Jon, when it comes to identity theft, in other words, if somebody hacks into a software as a medical device or even a physical device that has some personal information like credit card information, do you think that is or should be a concern to the FDA Jon?

Jon Speer: I'm going to say no. And I was thinking about it before but I say no, I don't see where that's an FDA matter of concern.

Mike Drues: I agree with you, Jon, that is absolutely not an FDA matter of concern, nor should it be when it comes to cybersecurity for identity theft. How about issues related to patient privacy? For example, if somebody hacks into a device and gets certain confidential, I don't mean financial information, but for example, your electronic medical record, do you think that is, or should be a concern to the FDA Jon?

Jon Speer: So we're talking PHI, patient health information or personal health information?

Mike Drues: Correct.

Jon Speer: And it's definitely more of a HIPAA concern. And I, if memory serves HIPAA is not under FDA umbrella, I think it's under HHS. So I'm going to go with no on that one as well.

Mike Drues: Right again Jon. That is a HIPAA concern. That is not an FDA concern. How about finally when we get to the issues of cybersecurity, when they relate to the safety and efficacy of the device, and let's parse that a little bit further, I can't really think of too many examples where somebody would want to affect the efficacy of the device via cybersecurity, but when it comes to safety, that is a potential concern of the FDA. Would you agree, Jon?

Jon Speer: Yeah, absolutely. I mean, I think that safety and efficacy of medical devices is at least the paraphrase of part of the FDA CDRH mission, right?

Mike Drues: That's exactly right. So cyber security, specifically when it comes to safety, that to me is no different than biocompatibility or electrical safety or anything like that. So if there's a cyber security concern that could affect the safety of the device, that is something that FDA could and should be quite frankly concerned about and responsible medical device developers. That's something that we also should be concerned about as well. Do you think, your original question Jon is why is cyber security is such a hot topic today? You mentioned the politics, the Biden initiative. Well, I would argue that Jon, that cybersecurity has been a concern for a very long time, but do you think of an example that really kind of popularized this idea of somebody hacking into medical devices in the past? In other words, what brought this to a lot of people's attention, not just in the medical device community, but in the broader community?

Jon Speer: Well, I don't know if this is the one you were fishing for, but one story that comes to mind on this topic, I think it was in the category of urban legend for the longest time, until I actually met the person who was connected to the guy that did it, but insulin pumps, a programmable insulin pump. There was this story about this person who figured out, not a doctor knowledgeable about diabetes and the disease state as the story goes, or at least my memory of the story, this person's child was prescribed a particular insulin pump. Well, this person also was a software developer and figured out a backdoor in a way that basically hacked the insulin pump to reprogram it and change the therapy that was prescribed to his child. So that's a particular story that comes to my mind on this topic. So was there another one that you were thinking of?

Mike Drues: I am familiar with several anecdotal examples like the one that you just described. But the one that I was thinking of Jon, that really popularized this, do you remember the old TV show on Showtime called Homeland?

Jon Speer: Oh yeah. Sure.

Mike Drues: Do you remember there was a particular episode where somebody hacked into the Vice President of the United States pacemaker?

Jon Speer: Yes. Now I do.

Mike Drues: That was back. I looked this up prior to our conversation today, Jon, that was back in 2013. So almost a decade ago that was on the TV. So cybersecurity, specifically cybersecurity when it comes to safety of medical devices. And in this particular case, we're not talking about an SAMD or an app or something like that. We're talking about an implantable device like a pacemaker, or you just mentioned an insulin pump. This is not a new idea. This has been going around for a long time. And the reason why I use that Showtime Homeland TV show as an example, Jon, is because it's usually when things show up in the popular press, like in the television, that's when things really capture people's attention. For example back in the day, you did a lot of work with catheters and cardiology. Do you remember why back in the 1970s angioplasty became popular and it had nothing to do with physicians touting the procedure?

Jon Speer: I really don't.

Mike Drues: I don't know if you knew this story, Jon, but John Abele, the co- founder of Boston Scientific likes to tell this story, Jonny Carson, the TV personality was one of the first people to get an angioplasty and sometime later he got onto the television and talked about it. And that is really what caused a lot of people to go to their doctors and say," Hey, I want the Jonny Carson procedure." So that's why I mentioned the Showtime episode. People talk about getting a physician champion, for example, to talk about your new medical device. Well, a physician champion at a conference is not nearly as valuable as a Hollywood champion who gets on the TV, talks about your devices, but that's a topic of a different time.

Jon Speer: I think, don't quote me on this, but I think the show Homeland recently found its way into Netflix.

Mike Drues: Well, perhaps so, but for what it's worth, I did look it up, but I believe that particular episode goes back to 2013, which is almost decade ago from when we're making this recording today. Anyway, so those are some of the reasons why I think cybersecurity is important, but we need to limit the context of cybersecurity, at least from the FDA's perspective to those aspects specifically related to the safety of a device so it does not include identity theft issues. It does not include patient privacy issues. Those are clearly important issues, but not from the perspective of the FDA. Does that make sense Jon?

Jon Speer: And I think as a company, medical device company who has products that where cybersecurity is an important aspect, first and foremost, I think it makes good business sense to make sure you're protecting financial details, aspects of your products. I think it makes a great sense as well from a patient privacy perspective, from a HIPPA point of view, in addition to the device safety. And I don't know if you know this answer and I'm not trying to put you on the spot here, but I'm curious. I wonder if even though the articles that I reviewed on this topic were FDA centric, are there equal interest or is the magnitude of this topic on par with other areas like HHS and other parts of the government not just FDA? I'm just curious. I don't know if you happen to know that.

Mike Drues: Yeah, that's a great question, Jon. Unfortunately, my experience and my expertise is pretty limited to medical product applications and specifically as they relate to FDA. So I'm not really an expert when it comes to other aspects of cybersecurity, but here's the regulatory metaphor that I would share Jon, because as you know, from our many conversations in the past, I'm a big fan of using regulatory logic as I like to call it and try to understand the intent of the regulation rather than the letter of the regulation itself. So the metaphor that I would use here is a topic that you and I talk about in a podcast a few months ago, and that is multifunction devices. In other words, if you have a device, for example, where a portion of the device is a FDA regulated medical device, and another portion of the same device is not an FDA regulated medical device. You remember we had this conversation Jon?

Jon Speer: I do.

Mike Drues: So cybersecurity is exactly the same way. As I said earlier, there are a number of different, important aspects of cybersecurity that are important, but only those aspects of cybersecurity that are important from medical device safety perspective, I think are fair game for the FDA to be concerned about and to evaluate. So that's the regulatory logic that I would apply here. So in that sense, Jon, there's nothing new here when it comes to the challenges of cybersecurity if you understand the intent of regulation that we have or guidance that we have in other areas, the same regulatory logic applies here, does that make sense, Jon?

Jon Speer: It does. And as I was doing a little bit of research and background on this particular topic, it seems to go wit, for a moment, quasi political, at least there's an organization. And I don't know that much about what, I'm familiar with the name, but I don't know that much about what they do, but there's an organization called the National Institute of Standards and Technology or NIST, that seems to be jumping in on this topic of cybersecurity. And I saw that they, and this is a little bit dated, but folks will still include the link to this and I noticed that a company that show, but they had a call for position papers back in May and June on different aspects of cybersecurity. And then I noticed that when I was digging, the FDA had a response to the NIST call for papers and that sort of thing. So starting off this podcast, the article that caught my eye and was clearly, had some sort of executive order tied to it. So are we seeing some sort of political game here, do you think, or maybe not so much?

Mike Drues: Well, we can't be naive here, Jon. I mean obviously politics infiltrates everything and that's not necessarily a bad thing, but it is a fact of life, but specifically when it comes to NIST and thank you for bringing this up, Jon, I put them under the same umbrella if you will, as ISO as ASTM, as underwriters labs, there's a number of organizations, some of them directly affiliated with the government, some not that develop standards, whether it comes to cybersecurity or biocompatibility or electrical safety or what have you. And so in a sense Jon, one can view this as FDA sort of outsourcing, if you will. Developing a standard for cybersecurity, specifically of medical devices, to an organization like this, and there's nothing wrong with that. And in a similar fashion, when FDA puts out, for example, a guidance, usually there's a period of time where FDA keeps the door open for any interested parties, whether it's a company or physicians or individuals to offer comments on that guidance, FDA is in essence doing the same thing here. So they put out this position paper, kind of like the position papers that we've talked about before under the topic of artificial intelligence, which if you remember Jon, I've been quite public about this. I think FDA's approach to regulating AI, quite frankly, is back words to put it politely, but there's absolutely no problem. And I think it's a good idea as these standards are developed for people to offer comments. As a matter of fact, Jon, to be clever. And I've done this many times before, oftentimes specific companies will have employees or representatives of their companies serve on the panel of these organizations. That happens in ISO all the time. Are they doing that Jon for altruistic reasons? I doubt it. Part of the reason why they're there quite frankly, maybe the most important reason why they're there is so that those companies can influence how those standards are written.

Jon Speer: Yeah.

Mike Drues: So let's be honest, Jon, whether people want to talk about it when people want to admit it or not, these things happen. And I'll be honest, this is a strategy that I've advocated to many of the companies that I work with. If you're working in an area that's a relatively new area, whether it's cybersecurity or something else where there are not already existing standard, then why not volunteer to serve on a committee where you might have some input as to how those standards are developed. Do you think that's a good idea, Jon or do you think that, to use one of your words in the past that you've used before, do you think this is somehow nefarious?

Jon Speer: Yes. I we'll just go with that. I think the influence piece is absolutely a part of it, for sure. I mean, let's be very candid. I mean, I'm a big fan of altruism and I like the way that I do things, right. And so if both of those things could blend together then let's make that the way of the land, so to speak. So I'm sure there's parts of both of those sides are having an impact or influence so to speak. But interestingly, in these position papers that were called from NIST back in May, June timeframe, the buckets or the categories, the first one was criteria for designating critical software. The next one was an initial list of secure software development, life cycle standards, best practices, et cetera. Third one was guidelines outlining security measures that shall be applied to the federal government's use of critical software. Next item, initial minimum requirements for testing software source code. And then the last bucket or category was guidelines for software, integrity, chains and provenance. Now, as I read this, I'm like, none of this is new either. These shouldn't be standard operating procedures for companies that are developing products with cybersecurity and software is applicable. This is not new stuff.

Mike Drues: I agree with you, Jon. None of it is new to me and actually I would take it a step further much if not all of what you just ticked off on that list at a high level. Anyway, it has really to do with cyber security. These are just general concerns across software and to be honest with you, Jon, these are general concerns across all medical devices, whether they involve software or not. So yeah, not to be cynical, but one could easily ask the question, what is really new here and what is unique about cybersecurity that we don't share the same or similar challenges with other medical devices already? One of the things that I've tried to stress in many of our previous conversations, Jon, is that we always have to look for similarities where no similarity seemed to exist. And this is a skill that quite frankly, a lot of people don't have, but it's a skill that you can develop in yourself. If you just simply ask yourself the question, what similarities are there between cybersecurity and electrical safety and biocompatibility and so on and so on. And in that sense you might be surprised at what you come up with. So let's try to make this as pragmatic as we can. One of the suggestions that I made already is a company working in a new area, like for example, cybersecurity, from a strategic perspective, it does make sense to consider having a representative that your company serve on a committee, whether it's part of NIST or ISO or whatever it is to develop these standards. But can you think if somebody came to you, Jon, if a customer came to you and said," Hey, we've got a device, we're a little concerned about cybersecurity. How can we avoid minimize or maybe ideally avoid the whole cybersecurity question?" What advice would you say to them, Jon? How could they avoid

Jon Speer: Avoid it? I mean, knee jerk reaction to that is, well, I have a purely mechanical product.

Mike Drues: Yeah. I mean, exactly right, Jon. What is the necessity of having your device be in communication with the outside world? Whether it's the telephone, wifi, internet, Bluetooth, what have you? So my first response, because I get this question a lot. Jon, is, is there a real necessity for your device to hook up to the outside world? Let's be honest Jon, we've had medical devices for a very, very long time, long before Al Gore invented the internet and you're laughing Jon but I'm guessing that many in our audience probably don't even know who I'm referring to.

Jon Speer: There's two references in this podcast, at least to Jonny Carson and Al Gore inventing the internet. That might be news to some people. But anyway,

Mike Drues: Unfortunately, Jon, I guess I am beating myself here. That's sort of-

Jon Speer: I got both the jokes. I got both references.

Mike Drues: So we're both getting old, how is that. But seriously. I mean, the question is, is there a legitimate reason why your device needs to be connected to the outside of the way? If the answer to that question is yes, then by all means we need to take cybersecurity into account for all the reasons that we've talked about earlier. But if the answer is no, or if the answer is not most of the time, in other words, usually when I ask that question, does your device need to get connected to the outside of the world? The first response is yes for updates. So I say," Okay, how about a compromise? Everybody wants to have, you know, 24/ 7 communication, but for a lot of medical devices, certainly not all, but for a lot of them, 24/ 7 is not necessary." So for the purposes of update, this is going to sound very old fashioned to you, Jon. But there is a certain beauty to the adage of keep it simple, for that small period of time when you want to offer a software update to your device. At that point, you connect it to the outside world. And then as soon as the update is complete, you disconnect it. This can be done either via software or fashioned hardware. You literally plug it into the wall, you get your update, you disconnect it and then you're done. And that way, the only time that you have to worry about potential cybersecurity or other threats is during that short period of time that you're actually connected. The rest of the time, you don't have to worry about it. Now, will that apply to all medical devices? Absolutely not. There are many devices that we need to have in constant communication, but then again, Jon, there are a lot of other devices that don't need it. What do you think of that?

Jon Speer: Well, it's an interesting point. And I think a lot of times on this topic, or at least your question, does it need to communicate with the outside world in some way, shape or form? We're always quick to think about the benefits of why it would do that. Why I would want that for my product. I think maybe this is why topics like cyber security are things that you and I discussed with time to time because we don't think about the risks or we don't give that as much credence as we should have because you just cited an example of maybe I don't need it to communicate with the outside world. And instead I could do this other approach or methodology to handle that scenario.

Mike Drues: And as a biomedical engineer, Jon, I often like to think about root cause. A lot of the root cause of these concerns and these aspects of medical device development comes down to psychology, comes down to our thinking because all of us, myself included have gotten used to having devices around us that are connected all the time, 24/7. We have texting all the time. We have email all the time. But when you think about it Jon, how many people who seem to have forgotten that not that long ago, we didn't have 24/ 7 communication? Is it really necessary to respond to an email from your boss at two o'clock in the morning?

Jon Speer: I know.

Mike Drues: But you know what, Jon, medical devices, most of them, not all of them, most of them are exactly the same way in a way. So are you connecting your device to the rest of the world 24/ 7 out of necessity? If the answer is yes, then by all means do it, but if not, maybe you can avoid most, if not all of these problems with a much simpler, much less elegant or maybe more elegant solution. And that is if you don't have to communicate all the time.

Jon Speer: Yeah. I mean, it's been really, I hadn't even thought of that to be honest. So I appreciate that insight and that point of view.

Mike Drues: Keep it simple, stupid.

Jon Speer: Keep it simple. I mean, and I was a little tongue in cheek when you asked me the question and I set a mechanical example, but to your point, I mean, it doesn't have to be a purely mechanical device. I just have to think about containing my product, such that it's isolated from the communications. And I mean, it's kind of a throwback way of thinking about a medical technology. I mean the last time I was in a hospital, it's amazing to me how many products, devices, in that setting have alarms and flashing lights. And, you see the nurses station with all the monitors and the telemetry data and they have one with just like the patient blood pressure and heart rate and all that going on. And then another one with video, it's just like it's information overload.

Mike Drues: That's a topic of a whole other conversation, Jon, when it comes to alarm fatigue and that, maybe we can do another discussion about the problem with infusion pump and infusion pump alarms that happened about eight years ago or so to basically all of the usability testing requirements that we have for medical devices today, that's a topic of a whole different discussion. But when it comes to cybersecurity, don't overlook the simplest, the most obvious solution. And that is don't have your device connected to the rest of the world if you don't have to. And if you do need to have your device connected to the rest of the world, does it need to be connected all the time? You mentioned, for example, Jon in critical care environment where monitoring of patient information in real time is very important. And that's a particular example where you're probably going to need 24/ 7 communication. But I would argue Jon, that relatively speaking, that's a small number of medical devices, a lot of other medical devices that need to share information that need to transmit for example, information that they collect from a patient at home to the doctor's office, they don't need to be connected 24/7. They might be able to transmit that data, say once a day or once a week. For that period of time, you're connected then and then for the rest of the time you're disconnected. Don't overlook the simplest and most obvious solution to a lot of these problems. That's my point here.

Jon Speer: Well, and I think that's good for those listening, when you're designing and developing your product, consider it the simplest solution to accomplish the means and the objective that you're seeking for your product. There's multiple different ways to do this on all the time. It might sound the most convenient and the most appealing from a use case perspective on this topic, especially cybersecurity, it's going to be the riskiest endeavor. So do you have, back to when we started this conversation with, does your product have financial data credit card information, et cetera. Do you have patient health information? Do you have details about the functioning of your product that impacts safety or other things. So all on all the time is going to expose your product in a way that nefarious people, to bring my word back, might be out there figuring out the back doors and ways to hack into your product, to get all of that information.

Mike Drues: Absolutely. I agree with you Jon, and take this one step further and I think we could to wrap up our conversation here with maybe a few final thoughts and recommendations, but when it comes to safety, as you and I have talked about before Jon, the flip side of safety as a topic that both of us are very interested in involved with, and that is risk. So any medical device that does not take into account risks associated with cybersecurity threats. Now, again, let's not be overly broad here. I'm not talking about identity theft. I'm not talking about HIPAA issues. I'm talking about specific risks. Like for example, if somebody hacking into the Vice- President's pacemaker, right? That is literally a risk. Any company that does not have that as part of their risk management plan, as an identified risk and whatever potential measures are in place to minimize the risk and the associated harms that might result from that risk. In my opinion, Jon, and this is going to sound harsh, but I think most of your audience probably knows me by now. Those people should not be in that business. It's as simple as that. If you can't anticipate, if your device is sending information out via the internet or the telephone or whatever it is, it doesn't matter. If you don't anticipate the potential risk of somebody else, sending information back in the opposite direction, you shouldn't be in this business.

Jon Speer: Yeah.

Mike Drues: It's just common sense. It stands to reason, right? So you need to identify those potential risks and you need to, you mentioned the mechanical analogy, Jon, I don't want to get into the details of how we can do this, but we need a software check valve if you will. We need a lot to allow the flow to go in one direction, but not to the other direction. Or if the float does go back in the other direction, we need to have some sort of, again, to use all mechanical metaphor here, some sort of a valve or a venturi or something like that in place, maybe a filter to allow the good stuff to get through, but not to allow the bad stuff. All of that has to be in your risk management plan among other things as well. Would you agree Jon?

Jon Speer: Totally agree. And, good news is the position paper from FDA on this topic, I think does a decent job of talking about that case and they call it science driven security testing, and they don't elaborate a lot of details, but the gist of, at least what I've picked up is exactly what you just described. So I'm encouraged from that perspective. FDA is like, yes, this is what you need to do, med device company on this topic of cybersecurity. But I know it seems like it should be common sense and logical, but that's again-

Mike Drues: Common sense is not as common as we would like to think that it is sometimes. Present company excluded, we're not talking about anybody in our audience here. We're talking about the other people that are not listening to us. And by the way, I liked using metaphors. I like looking at other areas for inspiration. You made the comment earlier that nothing is new here. I would actually take that to a much further extreme. Anybody that knows something about basic biology, what we're talking about here is the concept of a cell membrane, a semipermeable membrane that basically allows certain things to go through and it prevents other things from going through or the meninges, the blood- brain barrier that's around your central nervous system. So there's tremendous amount of inspiration, if you will, around the world that surrounds us, we just have to go out and look for it.

Jon Speer: Absolutely. Mike, any other tips, pointers, practical advice that you think is worth sharing with listeners on the topic of cybersecurity before we wrap things up today?

Mike Drues: So just to recap, what I thought were some of the highlights of today's discussion and feel free Jon to add anything that I may have missed, always think about if you have a device that is connected to the outside of the world, but remember to limit at least your cyber security's concerns to the FDA sense of cybersecurity, not identity theft, not HIPAA, not even efficacy so much, but those things directly related or could be related to the safety of your device, include that in your risk management plan, as well as the measures that you plan to institute to mitigate the harms associated with those risks. Consider the possibility, if you're working in an area where standards have not been developed or are in the process of being developed, serving on a committee, whether it's through a different organization so that you can A, understand the standards of that are being developed and B, have influence as to how those standards will be developed in the future to benefit your product and perhaps to challenge your competitors, that this happens all the time. And the third point I was going to make now, Jon, maybe you can help me out because it just slipped my mind.

Jon Speer: Here's the main takeaway that I took from this conversation is if you think cybersecurity has to apply to your product, just take a step back. Reconsider. Think about exactly the need, the interaction that your product has at point of views. And, if you say it has to be on all the time, communicating with the outside world, does it, maybe it doesn't, maybe there are some safeguards and some controls you can put in place with your product so that it's not exposed or minimizes the exposure from cyber security threat. So keep it simple as you possibly can. So just reconsider, just think about it. There, of course, as Mike mentioned, there are plenty of examples of products and technologies that do need to be on all the time because of the nature of their use. But I would say the vast majority of medical devices probably don't. So weigh those benefits with those risks and make sure that you're being robust, thorough and complete with the design and development of your products to address those scenarios.

Mike Drues: That was precisely my third point, Jon. Thank you for reminding me.

Jon Speer: All right. Well, Mike, I'm glad we had an opportunity to talk a little bit about this topic. I don't honestly spend that much time thinking about or reading about cybersecurity. So in preparation for, and during the discussion today, there's lots of little nuggets I picked up and I think this is an important, you know, keep the frame of mind appropriate, make sure that as it relates to FDA, that my focus is about the safety, in alignment with the mission or the objectives of the FDA too. So bear that in mind.

Mike Drues: And yeah, I had a very last thing that I would share, Jon, and then we can wrap this up. It's a recurring theme through a lot of our discussions, whether it comes to cybersecurity or any of the other kinds of testing, please don't follow what so many of these industries seem to do, and that is the ticking boxes on a form because the whole purpose of thinking about whether it's cybersecurity or biocompatibility or anything, I hate to hope on this, Jon, but I just had a conversation with one of my customers just earlier today where, one of the boxes on the form that we need to tick, and this particular company was doing some ISO testing that I asked them," How is it applicable to their device?" And they said," It's not applicable." And I said," Well, why are you doing it?" And they said, because it's on the form. It's like, oh my gosh. So whether it comes to cybersecurity or anything else, please think first. Does it make sense? If it makes sense, then do it. If it doesn't make them do it, but somehow Jon and I know I'm preaching to the choir, but we need to get past this ticking boxes on a form mentality, which, I don't want to overstereotype here because it doesn't affect everybody, but it seems to permeate a lot of our industry today, which is not necessarily a good thing.

Jon Speer: Yeah, I think it's worth reminding folks, we're in this business to improve the quality of life and ticking boxes on the form for things that don't apply to your product does not align with that. So think about that intelligently. So Mike, I always appreciate the opportunity to catch up and talk about hot topics and our industry. Cybersecurity is not new, but something that is starting to bubble up for who knows probably a lot of reasons, but certainly a topic that I think folks need to think twice about and not just tick that box and move forward. So I also want to thank you all for being loyal listeners and watchers now of the Global Medical Device podcast. So thank you for keeping us as the number one podcast on the medical device industry. Continue to spread the word to your friends and coworkers and colleagues. And until next time, this is your host and founder at Greenlight Guru, Jon Speer, and you have been listening and probably watching the Global Medical Device podcast.

ABOUT THE GLOBAL MEDICAL DEVICE PODCAST:

medical_device_podcast

The Global Medical Device Podcast powered by Greenlight Guru is where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.

Like this episode? Subscribe today on iTunes or Spotify.

Nick Tippmann

Nick Tippmann is an experienced marketing professional lauded by colleagues, peers, and medical device professionals alike for his strategic contributions to Greenlight Guru from the time of the company’s inception. Previous to Greenlight Guru, he co-founded and led a media and event production company that was later...

Related Posts

Product Development

Software Bill of Materials (SBOMs) & Cybersecurity in the Medical Device Industry

Nick Tippmann
June 1, 2022
In this episode of the Global Medical Device Podcast, Jon Speer and Etienne Nichols talk to Ken Zalevsky, Certified CyberSecurity Leader and CEO of Vigilant Ops, about... Read More
Product Development

Shifting Sands of SaMD Cybersecurity Regulations

Nick Tippmann
July 5, 2022
FDA has issued new draft guidance on cybersecurity for software as a medical device (SaMD). If the FDA releases that draft guidance ‘as is,’ it will massively and negatively... Read More
Product Development

The Future of Cybersecurity

Nick Tippmann
April 29, 2022
What will the future be for software as a medical device (SaMD) and cybersecurity? Manufacturers need to identify cybersecurity issues with their medical devices because... Read More
Subscribe Request a Demo
Search Results for:
    Load More Results