“Cybersecurity threats are real, ever-present, and continuously changing.”
That’s how Suzanne B. Schwartz of the FDA describes production and postmarket for medical devices. And it’s true, cybersecurity threats pose ever-present challenges to the Life Sciences industry, putting people’s health, safety and security at risk.
With that in mind, the FDA released official guidance for postmarket cybersecurity management. This is extremely important because many devices are connected to hospital systems or personal internet systems which contain a lot of sensitive information.
The FDA recommends a full lifecycle approach to security, which begins in the design phase:
Have a system for monitoring and detecting cybersecurity vulnerabilities.
Use risk management to identify and understand the level of risk a vulnerability can potentially pose.
Include external cybersecurity stakeholders to research and consult on potential vulnerabilities. This is formally known as a “coordinated vulnerability disclosure policy.”
Mitigate cybersecurity risks proactively before they are exploited.
Prioritizing cybersecurity measures in the earliest phases of product design will benefit you through all stages of production and postmarket release.
Case in Point: St. Jude Medical
One company doing an excellent job of managing postmarket cybersecurity is St. Jude Medical, Inc. They recently announced their latest set of cybersecurity measures for the Merlin remote monitoring system that’s used with implantable pacemaker and defibrillator devices.
Within the past 3 years, they have released seven software updates with more scheduled for this year. All of these updates aimed to tighten security measures.
Yes, this is a lot of work, but when the integrity of a medical device is at stake, it is a priority.
The amount of work that St. Jude Medical put into their postmarket cybersecurity is nothing compared to the time and resources it would take to recover from a cybersecurity breach.
Driving the Point Home
The FDA recommendations are a good starting point for using your Quality Management System to improve your own security measures. Some features to take advantage of:
Risk Management Tools for identifying which vulnerabilities could be the most dangerous.
Document Control and Employee Training to keep everyone informed of possible threats and trained on the set procedure for identifying and handling them.
Reporting Tools to identify trends and measure security improvement.
Given the FDA recommendations and the tools you already have in your QMS, you can take proactive steps to reduce the chances of a cybersecurity breach and maintain the integrity of your medical devices.
