Ajit Patwardhan   00:00

Good morning. Welcome to the Medical Affairs Professional Society’s MedTech Focus Area Working Group’s two-part podcast series on medical device cybersecurity. This is a follow up to a published white paper on the safety impact of medical device cybersecurity. In this first podcast, we will discuss what is cybersecurity and its importance for medical device manufacturers. I am Dr. Ajit Patwardhan. I will be the moderator for this podcast. I currently served as a member of the MedTech Focus Area Working Group and I am a Medical Safety Officer at Olympus Corporation of America. Before we start a legal disclaimer, the views expressed in this recording are those of the individuals and do not necessarily reflect on the opinions of the MAPS, or the companies with which they are affiliated. This presentation is for information purposes only and is not intended as legal or regulatory advice. We encourage you to engage in conversations about MedTech. With other MAPS members, we have MAPS Connect on the MAPS website or mobile app. Simply log in with your email addresses and password associated with your MAPS account and access the global community. Then click on the discuss tab and scroll down to med tech focus area working group in the general MAPS Connect discussion forum to post a question or review previous postings. Let us move into our discussion today. The podcast objective are threefold. As we all know, as for the FDA, October was a Cybersecurity Awareness Month and today we are going to talk and discuss about this critically important topic. Our objectives of this podcast are as follows. First, what is medical device cybersecurity, and why should you care? Second, why does FDA and others care about medical device cybersecurity? And third, what are the regulatory expectations? I would like to thank today’s speaker for sharing his subject matter expertise with the MAPS membership. Speaking today, we have John Jancis. Who is the president of cyber actor. John, if you don’t mind, please briefly provide information about your current position and CyberActa.

John Giantsidis   02:44

Good morning, everybody. Good morning, Ajit. Thanks for having me, John Giantsidis the President of CyberActa, we concentrate on digital in cybersecurity in background, it has been in medical devices, both of the software compliance and really regulatory expectations with the FDA and global regulatory agency.

Ajit Patwardhan   03:06

Thank you very much, John. Now, as we go into the discussion, the first question I have for you is, you know, what is cybersecurity? Can you please explain what cybersecurity means.

John Giantsidis   03:21

Absolutely, Ajit. Think of cybersecurity as the ongoing application of those best practices intended to ensure and preserve the confidentiality, integrity and availability of any digital information as well as the safety of people environments. It is important to note that the pillars of cybersecurity used to be a triad confidentiality, integrity and availability. However, it is important to know that in medical device cybersecurity safety is the newest member of the roster, and is really has been introduced to address the everyday live threats posed by the internet of medical things. The pillars of cybersecurity used to be a triad confidentiality, integrity and availability. However, in medical device cybersecurity, safety is the newest member of the roster. It has been introduced to address every day, live threats posed by the internet of medical things of such confidentiality the means of protecting any assets from being accessed by unauthorized parties, integrity, the consistency the accuracy and the trustworthiness of a process or output over its entire lifecycle, the availability, the set of practices and tools that are designed to ensure that timely accesses data and now in medical device cybersecurity, its safety and is all those activities and considerations for any cybersecurity incidents that could result in injuries even doing user or to a patient and sometimes unfortunately, the loss of life.

Ajit Patwardhan   05:05

Thank you, John. Now that we are simulated everyone to the definition of cybersecurity, can you explain why does the Food and Drug Administration FDA, care about this issue of cybersecurity of medical devices?

John Giantsidis   05:24

Thank you, Ajit, absolutely medical, it’s really to understand that cybersecurity is both safety. Medical devices with software, or software as a medical device or even connected within a network are susceptible to cybersecurity risks. These risks could potentially lead to an increased risk of harm to patients, and that those may include denial of the tenant service or therapy. And that can cause a delay of treatment. And obviously, we can have an injury or death, we can have an alteration of a device function that, again cause patient harm, either as an injury or death, we can have really the alteration of the personal health data and that can result in the wrong treatment or incorrect treatment being delivered, and consequently have injury or death. From a patient impact standpoint, it’s important to know there are several categories for the individuals to consider is that the impacts can be directed either to medical devices themselves or a collateral to other malicious activity, we can have an impact directly to the patients or can have an impact to the patient care processes, the clinical workflows that exist, some of the potential attack impacts that goes back to degraded or partial functionality. A device whether used by healthcare professional or the patient themselves, may be may no longer be usable, maybe inability to access the network loss or inability to access data or denial of that service, that either the healthcare professional or the patient is using, then obviously, we have the the malicious data manipulation or the device manipulation itself, going more detail from a patient effects standpoint is we need to understand what is that degraded or partial functionality and then what are the causes of it in malware? Is this kind of scanning is a botnet in some of the what we have seen working with hospitals with with other medical device companies is that what is that the impact of those examples, for instance, diagnostic tests or treatments may be delayed, were unable to be performed, or patient monitoring can be interrupted. The other another item is device destruction, that patient care is impacted because of the inability to provide diagnostic tests, or Qt Cruz procedures or monitoring of patients. And the inability to access the network is that aspect, the impact of the patient care, because the patient or the healthcare professional cannot access the treatment plan or it’s unable to save that data that has been generated. And lastly, what I don’t want to make sure, it’s important to understand that that that loss of data is critical, because equally it could have an impact you the patient history so the for a healthcare professional will not have the complete history of treatment available for that for that patient. And that can extend to medications I can extend to laboratory results can extend to any monitoring data that would apply with a particular device or a system that is being applied for the patient care in question.

Ajit Patwardhan   09:09

That is very interesting, John, you know, I’ve worked for a medical device manufacturer, maybe can you help us understand, particularly what are the regulatory expectations from medical device manufacturers?

John Giantsidis   09:27

Sure, from an FDA standpoint, and really the rest of regulatory agencies, the expectation is that medical device security has to be part of a holistic approach because the cybersecurity landscape is constantly evolving. So, it’s important to understand that from an FDA right now, where we’re still dealing with guidances but from an EU MDR standpoint their explicit requirements as pertains to security. The Australian therapeutical organization has issued final regulatory frameworks for cyber for medical device cybersecurity. So, it’s an expectation that that mandates the total product lifecycle. And really what we’re trying to explain is that like, like any other risk, if a cybersecurity risk is not effectively managed, minimize throughout the lifecycle of a device, it can lead to issues when it comes to to cybersecurity or medical device cybersecurity. So, the recommended approach is to include risk management, change management, design, control, manufacturing, supply chain, complaint management, and post market surveillance. And I’ll go into more details when it comes to the traditional safety risk management, as you know, and you’re an expert all that is medical device risks. As of right now, they’re managed in accordance with 40 with ISO 4971, the new regulations and new expectations, the require broader view of risk to address those new cybersecurity requirements. So, it’s important to note and identify in any company or hospital that there are three main types of risks, security risks without a safety impact, that is the traditional safety risk management approach, then we’ll have to look at security risks that could have a safety impact. And that is the interface that is important for organizations to have the framework in place and address that. And then the last category or type of risk is those safety risks without any relation to security. So, that is something that organizations have to include, and it’s imperative to include as part of their process. What we recommend from, from cyber aka and really trying to be alignment with the expectations of regulatory agency says that it has to be the alignment between safety and security risk management, it’s important to know the safety risk management is it’s a core process in medical devices. But due to the broader perception of risk, it’s important to have a companion process to really address and comprehend the cybersecurity risk for that particular device. If a security risk has a safety impact, he will be propagated as an input to the safety risk evaluation. So, for somebody like yourself that manages safety, for an organization, cybersecurity now will be part of your daily activity, because that impact, the cybersecurity impact will have to be analyzed for any aspect of it that can have an impact on the patient, or the user. So, it’s important to understand that and is really what we’re trying to convey to medical care professionals to safety professionals is that everything starts with the secure design and development of a device. And it’s important to understand that security risk management is an integral part of that secure development lifecycle. So, potential security threats need to be identified with a systematic approach, such as Threat Modeling is that it’s something that the FDA, especially for new applications, really supports and warrants in their submissions. And really, from a medical device software development, it’s important to consider 60 to three or four as a standard to really incorporate the existing development process with cybersecurity activities. So, what we mean by security by design is those overarching philosophies that an organization is using to identify the security requirements for the particular device, how is it being secured, you know, you have security implementation, the verification and validation testing, the security, update management, the security guidelines, and really, how’s that been communicated to the user or the patient? And last but not least, it’s very important and this will be for somebody that, like yourself that that oversees post market surveillance activities. It’s so understand that there has to be a post market cybersecurity oversight. And that that surveillance aspect is to identify the number of safety related hazards of a medical device that could have or may have had an impact by cybersecurity threats. So, it’s important to understand what are the activities that have been taken place, and how exactly we’re going to address it within a medical device. It’s important to note as a closing statement that most organizations depend on a combination of commercial and custom developed hardware software products support their medical device needs. These technology components inevitably include vulnerabilities in the design setup, or the code that runs in cyber vulnerabilities coupled with growing threats create risks by leaving medical devices open to attacks, data breaches and other cyber incidents. These events could lead to patient harm regulatory enforcement, litigation, or even credibility loss. organizations, medical device firms and medical device manufacturers must understand these risks and in really address cybersecurity management in a well defined and managed program.

Ajit Patwardhan   16:06

Well, I think this was extremely important information which you shared. John today, in this first podcast on this topic. I thank you very much for your expertise here. And, you know, the next podcast, we will try to discuss practical tips on how to incorporate cybersecurity in into our own practices and devices. We would typically, I would say, like to address what are the typical questions regarding health and safety? What are the typical questions regarding suitability? What if my device has a measuring function? What if my device is equipped or connected to an energy source and what needs to be included in the new era of risk? So, thank you again, John. I really appreciate your time today. To end the podcast, I would just like to say that if you’re a MAPS member, thank you for your support for MAPS. If you’re not a MAPS member, and would like to access to additional resources in this area, please visit the MAPS website to explore joining today at medicalaffairs.org/membership. This concludes the first series of the podcasts.