By AAMI
A new and rapidly growing technology, cloud computing is changing how medical device developers think about data and computational costs. However, for medical devices and quality systems, the significant benefits of cloud computing also come bundled with a new set of risks. That’s why experts from industry, medical device software development and regulatory consulting recently pooled their knowledge to develop a new consensus report (CR) with the Association for the Advancement of Medical Instrumentation (AAMI).
Titled CR510, Appropriate use of public cloud computing for quality systems and medical devices, the new document provides guidance regarding the appropriate use of public cloud computing both as a component of medical devices and in support of quality systems. One important consideration with public cloud computing is that service providers regularly make changes to their platforms that can affect computing or functions.
“Those changes can occur without your prior consent, sometimes without prior notice, and perhaps even without notifying you after the changes have been made,” said Randy Horton, vice president of solutions and partnerships at Orthogonal, who co-chaired CR510’s task group under the auspices of the AAMI Application of Quality Systems to Medical Devices Working Group.
“When medical devices are approved, they are under strict ‘change control.’ That is, any change they undergo must be assessed to determine if it requires resubmission for approval by regulators like the U.S. FDA,” explained Joe Lewelling, senior advisor on content and strategy at AAMI. “That’s fine when you control everything, but when you are using cloud computing, you’re working with a service provider. CR510 is the first document that really addresses how to use third-party computing platforms to operate a medical device safely and effectively.”
The task group, including co-chair Pat Baird, head of global software standards at Philips, assembled a team of industry experts to determine how cloud computing is different than other technologies that have made their way into regulated medical devices over the last several decades.
“The key insight we arrived at was that public cloud computing has challenged the traditional notion of control in a validated state – that I as a medical device manufacturer control every aspect of this device or system,” Horton said. “By introducing a modern, distributed and abstracted model of computing, you’re trading away some control for increased reliability, richer feature sets, enhanced security and a far more flexible model for infrastructure scaling.”
“The bottom line is that with the cloud, your medical device is living in a wonderful, but more chaotic world,” he added. “And that’s OK, so long as you understand and explicitly acknowledge this change, gather the necessary knowledge, incorporate that into your risk analysis and then make thoughtful design decisions.”
Following the success of CR510, the AAMI Standards Board has approved development of a new technical information report (TIR) that will further explore best practices on this important subject by providing additional conceptual and practical guidance. Parties interested in participating in the TIR subcommittee should contact standards@aami.org.
AAMI Responds to FDA Discussion Paper on Cybersecurity and Servicing
How can organizations and healthcare technology management (HTM) professionals who service medical devices protect these assets from hacking, malware, ransomware and other cyberattacks?
The Center for Devices and Radiological Health at the Food and Drug Administration (FDA) sought input on this question in a discussion paper, Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities, which was released in June. The paper focused on four issues that are unique to the servicing of medical devices:
- Privileged access, which means that user authentication and appropriate controls are required to access operating systems and applications.
- Identification of cybersecurity vulnerabilities and incidents, which can help detect, respond to and mitigate risks early.
- Prevention and mitigation of cybersecurity vulnerabilities, which is often a software update or upgrade.
- Product life cycle challenges and opportunities, particularly related to legacy devices in rural and underserved communities.
With input from AAMI’s Technology Management Council and Healthcare Technology Leadership Committee (HTLC), AAMI responded to the FDA discussion paper in September. Cory Brennan, an HTLC member and cybersecurity attorney, helped craft the response.
The AAMI community identified three overarching challenges vis-à-vis cybersecurity and servicing medical devices:
The knowledge and training gap. “Few individuals fully understand the cybersecurity needs surrounding medical devices and formal training is not readily available,” reads the AAMI response, which was signed by AAMI Acting President and CEO Steve Campbell.
The legacy device problem. “Devices designed 15-20 years ago were generally not designed to be upgraded or patched and have limited memory or onboard storage. Cyberattackers are aware that vulnerabilities corrected years ago in new operative systems remain in these legacy devices.”
The simplest problem – inventory management. “With more than 10,000 medical device manufacturers operating globally, health care organizations find themselves struggling to develop and maintain an accurate network-connected medical device inventory and, more importantly, acknowledging which operating system each device is running and what vulnerabilities exist.”
“One of the biggest solutions to addressing cybersecurity issues is spreading awareness about it and how to combat it,” said AAMI’s Danielle McGeary, vice president of healthcare technology management. “The pandemic has opened up a gap. Medical devices and hospitals are at the forefront of hackers’ interest because they have a lot of proprietary information.”
AAMI offered four recommendations for how entities servicing medical devices can help strengthen cybersecurity:
- Advocate for formal cybersecurity training for independent service organizations and HTM professionals.
- Develop industry best practices/standards for medical device cybersecurity management.
- Create and share network security standards for medical device implementation.
- Further clinician/device end-user education on cybersecurity risks and requirements.
“We applaud the FDA for taking a conservative approach in requesting information to help it assess the questions asked in the discussion paper,” Campbell said. “No matter the outcome, the entire health care industry will be better informed and have much more to think about simply from reading the perspectives that are offered by these diverse stakeholders.”