Ajit Patwardhan   00:00

Welcome to the Medical Affairs Professional Society MedTech Focus Area Working Group’s two-part podcast series on Medical Device Cybersecurity. This is our second podcast of the two-part series in which we will continue our discussion on cybersecurity and its importance for medical device manufacturers. I am Dr. Ajit Patwardhan. I’ll be the moderator for this podcast. I currently serve as a member of the MedTech Focus Area Working Group, and I’m a Medical Safety Officer at Olympus Corporation of Americas. Before we start today’s discussion, I just wanted to share a quick legal disclaimer. So, the views expressed in this recording are those of the individuals and do not necessarily reflect on the opinions of MAPS or the companies with which they are affiliated. This presentation is for informational purposes only and is not intended as legal or regulatory advice. We encourage you to engage in conversations about MedTech with other MAPS members via MAPS Connect on the MAPS website, or on your mobile app. Simply login with your email address and password associated with your MAPS account and access the Global Community. Then, click on the discuss tab and scroll down to MedTech Focus Area Working Group to post any questions or review previous postings. Let us start the podcast and today’s discussion. Before I do that, I wanted to touch base on what we discussed during our first series of the podcast. So, in the first part of this two-part series, John Giantsidis, the President of CyberActa, helped us understand three things. First, what is medical device cybersecurity, why should we care? Second, why does FDA and others care about medical device cybersecurity? And third, what are the regulatory expectations related to this topic? In this second podcast, we would like to continue our discussion on this critically important topic, and discuss practical tips on how to incorporate cybersecurity into your own practices and devices. We are to clearly understand what is the legal basis for the cybersecurity expectations? What are some of the right questions to ask to ensure user health and safety is not compromised, also related to the suitability of the device. We would also like to understand what should be considered if our device, if my device has a measuring function, or if it is connected to the energy source. And finally, I would ask John to share what needs to be included in this new era of risk with some good examples and common pitfalls related to medical device risk management. To start the discussion, I would like to again welcome John Giantsidis, President of CyberActa today, and thank him for sharing his subject matter expertise with the MAPS Membership. John, welcome to the podcast.

John Giantsidis   03:11

Hi, Ajit, thanks for having me.

Ajit Patwardhan   03:15

So, John, the first question, which comes to my mind is building on to our earlier podcast in early conversation, can you give us a quick understanding around the legal basis for cybersecurity expectations?

John Giantsidis   03:28

Sure, I’m in the US from the FDA, there are several guidance documents that have been published over the years, both for from a design standpoint, commercialization and post market surveillance in Europe is a little bit more explicit. So, with the new the transition from MDD to EU MDR and IVDR, there are specific requirements that they’re covered in principle within annex one. There’s an expectation of integrated security that really spells out that risk control measures are mandatory in terms of safe design and production. There is a mandatory again risk management for the identification and analysis of known and foreseeable hazards. And obviously, the risk minimization that is taking place according to them. One element that we have seen with within the EU MDR and IVDR is that they are the appropriate precautions that are to be taken to eliminate or reduce any risks that would arise from a defect and then if you were to consider a cybersecurity threat as a defect that will drive those actions. And last but not least, for any device that contains software or it is a software either an SI MD or an SMD, that software is to be developed manufactured according to the state of the art and that includes the principles of software lifecycle risk management, information security and verification, validation. So, it’s important to understand that in this era in this environment, it’s important to consider cybersecurity from the beginning from the design and is an end-to-end process.

Ajit Patwardhan   05:21

Great. Now, I think this is important. Right? So, thank you, again, for helping us understand some legal perspective around this topic and gender requirements, as you mentioned, related to FDA guidance and EU MDR. You know, John, as you know, I work for one of the top medical device manufacturers and have the responsibility for patient safety. So maybe can you tell me what are some of the right questions to ask to ensure user health and safety is not compromised?

John Giantsidis   05:52

Absolutely, and that is something from MAPS standpoint, and individuals, like yourself within Olympus or other organizations is that, is we need to understand and really not necessarily going into the technical aspect of cyber security, but there’s some high level questions, probing questions that we should be asking our teams, our designers to really create the evidence base to evaluate whether or not a vulnerability may impact the user health and safety. So I’ll give you a couple of examples. So the number one question is really does the intended use of the device would expose it to any risk associated with cybersecurity? For instance? Does it run code? Will the device connect to any networks? Will it transmit data? And if that’s so then the next question is how will any of those risks will be managed? So it’s important to understand internally how we’ll be managing those risks? And then secondarily, is there any risk that those vulnerabilities may lead, key point may lead to compromising the health or safety of the user And that can be their patient or an operator. And this comes back to you as a practitioner of safety. Is that risk acceptable? Is there risk that the device could compromise the health and safety of others? Could the device compromise a biomedical network with other connected medical devices? Or is it reasonable to expect that the intended users of a particular device have to have the technical knowledge, the experience or education, to use it in a way that manages or reduces that cybersecurity risk? So if you if you were to think about it, cybersecurity is one of those interconnected risks that apply within a device and individuals like yourself or functions that pertain to the safety of a medical device, it’s important to understand how that would be impacted by a cybersecurity threat.

Ajit Patwardhan   08:13

No, thank you. I absolutely agree with you. I think all of these questions which you just shared with us, these are very key questions to ensure patient and user safety. And personally, I can tell you, I’ll make sure to ask them when I’m doing risk management for our devices. You know, moving forward moving ahead, perhaps you can share your thoughts related to cybersecurity, in the context of cybersecurity, what do you mean by suitability of the device?

John Giantsidis   08:43

Sure, and I think that goes back to the continuum of evaluation that interface of safety and performance is that, is that identified or cybersecurity vulnerability? Could that impact the intended performance of the device? Does a device intended purpose would stay validated current when the network or network components are updated? Now, if we go into little more detail, is the cybersecurity of the device able to be regularly maintained? Well, will the device require patches or updates to the software to be acceptable and in safe performance? And then secondarily, how will those updates be delivered, verified and what else needs to take place? And then more importantly, from a holistic product risk management approach, what is the potential of intrusion based on a project the level of cybersecurity threat due to the expected life of the device and identify the mitigation strategy to do with that design? So if you think about it, if a design is, or the expected life lifecycle of a device is seventy years, how would it be maintaining that the cybersecurity framework for that device? And what is the impact of that device to its safe operation? And that is important to be included in the overarching process within product risk life management.

Ajit Patwardhan   10:19

Okay, thanks, John. I think, you know, my next question is building on to what you just shared. Can you tell us? You know, what do I need to consider if my device has a measuring function?

John Giantsidis   10:34

Great, great question, Ajit, and that is one of the really the hot topics both from an FDA and an EMA review is, and I will explain it in a way that is the manufacturers are to be able to demonstrate and deal with objective evidence that whether or not a cyber exploit, a cyber threat could affect the measurement accuracy, the precision is the ability of a medical device. And if that does is the integrity of the data isn’t vulnerable to cyber attacks. And if you were to think about it from a safety standpoint, what would happen if the measurements become inaccurate, because of a cyber attack? Could this result in harm to a patient? And then secondarily, do we have the appropriate cybersecurity controls in place to make sure that doesn’t happen?

Ajit Patwardhan   11:35

John, I think I agree with you related to what you shared in terms of the device having measuring function, what do we need to consider if our device is, let’s say, connected to an energy source?

John Giantsidis   11:49

Absolutely, Ajit. That’s a great question. And that is, and that is really important when it comes to understanding the function, and the intended use of the device and really is, from a safety standpoint is have we considered whether or not a device is protected from cybersecurity threats, that could cause the device to either withholds too much energy or deliver too much energy or substance. So if you’re if you’re thinking about it, and infusion pump, that may or may not be impacted by a threat, could that infusion pump deliver either energy or the substance associated with that infusion pump? And then secondarily is have we built the the conditions to to evaluate the capability to log security issues? And then when it comes to energy, it’s important to understand that you consider, especially for implantable medical devices, as to what is that energy emission that is being controlled by the device itself? Because that could have, as you know, we could have a patient impact as well.

Ajit Patwardhan   13:03

Yeah, no, I agree with you. And I think, you know, as I was listening to what you shared with us today, I think this is this is perhaps an excellent information for several of us that were working on devices with the measuring function and devices connected to energy source. So again, thank you for your insights. So John, I think, you know, in the first series and the discussion today in the second podcast, I, you know, a question which comes to my mind as we are trying to wrap this up is, what would be you know, your final advice or what do you think you would like to advise the medical device manufacturers? What do they need to consider in this new era of risk?

John Giantsidis   13:48

Absolutely, Ajit. That’s a fairly common question that we get is really is it’s important for medical device manufacturers, whether are in the traditional aspect or in digital health software’s or medical devices, that is to establish, really the framework to proactively monitor identify and address vulnerabilities and exploits as part of their post market surveillance and management process. Because cybersecurity is continuously evolving, it is not a static environment. It is fairly much a dynamic. And most regulatory agencies are requiring of the manufacturers to demonstrate a plan for ongoing monitoring and really, how to respond to emerging cybersecurity threats to their device and how they’re going to manage them in the field. So really, the considerations that they need to address is that the post market surveillance program needs to have a function of facet of it that be able to track assess and respond to newly discovered vulnerabilities. There is a technical aspect, which is the patching for the software to maintain the safety and effectiveness of that device. And then really, what is the nice to have or strongly recommended is the vulnerability disclosure. So, we have a formalized process for obtaining Cybersecurity Information, really assessing the vulnerabilities, developing the mitigation and remediation strategies, and disclosing those with others. And this is something that, you know, we strongly encourage to, to, for organizations to participate in information sharing, because if there’s an ability to prevent somebody’s injury, or somebody’s death is something that is we strongly recommend, and encourage along with the FDA and others.

Ajit Patwardhan   15:50

Right, I think we as medical device manufacturers really need to be fully aware of this new QMS processes, and try to incorporate them during our medical device risk management planning. So thank you again, you know, final question for you, John, can you share some examples of common pitfalls of medical device risk management?

John Giantsidis   16:13

Absolutely. So and this is kind of in not in in terms of severity is really what we’re seeing is, is in general, is really just kind of the curtain not having a well maintained hardware software asset inventory, that’s one of the most common elements not having, really the ability or the resources to, to remediate or mitigate known vulnerabilities. We have seen examples where manufacturers are using software that may have 300 or 400, over 1000, CVEs of common vulnerabilities. That is that is something that needs to be addressed. And unless, you know, the FDA or another agency tells them to do so, really the failure to continuously monitor the medical devices environment to identify any vulnerable components and to make sure we don’t reintroduce them really using outdated hardware software, and not having devices that can tolerate patching. And we’ve seen that in the field where some of the legacy devices are not patchable. It’s simply not technologically it’s not it’s we’re not able to patch that, the failure, and the last one, Ajit, is really the failure to prioritize the vulnerabilities according to their exposure and risk levels they create for the device. And this goes back to understanding what is the impact of those vulnerabilities, not only technologically, but what is the impact to the patient safety.

Ajit Patwardhan   17:57

Thank you, John. In my experience, as we are all getting familiar with the cybersecurity around medical devices, I have certainly come across situations where, you know, we were we were exposed to some of the pitfalls you discussed. So it’s important that you know, as medical device manufacturers, we take appropriate steps to ensure that, you know, all the appropriate risk management measures are incorporated in the, in the device development from probably, you know, from the concept stage, all the way to when the device is retired. Well, thank you again, you know, for sharing your expertise on this very important topic. John, as I was trying to put my thoughts together, I wanted to say that what I have learned during this conversation is that the expected approach of medical device cybersecurity is that similar to other risks of cybersecurity risk is not effectively minimized or managed, this can result in compromised device functionality, loss of data availability, or integrity. And this data can be medical or personal data, can lead to exposure of other connected devices or networks to security threats. And this, in turn, may have the potential to result in patient illness, injury or death. Would you agree with that?

John Giantsidis   19:28

Absolutely, Ajit. It’s really, it’s one of the key points that we’re trying to convey both from to our medical device manufacturers and in hospitals that they’re the users or recipients of those devices. The last part is to have folks remember is that from a traditional post market surveillance that if we’re to apply security patches or patches in general to prevent death or serious injury of a person, those are reportable events and whether they’re going to be under the FDA recalls or within the European as an FSM, those are something that needs to be considered as we move forward and we adjust the practices right now within the traditional QMS of a medical device manufacturer.

Ajit Patwardhan   20:17

Yeah. And I’m confident that the listeners will incorporate these practical tips and information you share to manage the cybersecurity risks for their medical devices. Thanks again, John. Before I end today’s podcast, I would request our listeners to consider joining the MAPS organization. To access additional resources in this area, please visit the MAPS website at www.MedicalAffairs.org. To explore joining today. I would also like to invite professionals to attend the upcoming annual maps conference scheduled for March 21 to 23rd in New Orleans. If you’re a MAPS member, I thank you for your support of MAPS. This concludes the podcast.