‘Collaborative Community’ Foundation Set
By John Wallace, Editor
CHICAGO | A new alliance has formed.
The Alliance for Quality Medical Device Servicing (AQMDS) recently met to explore the creation of a collaborative community regarding the servicing and remanufacturing of medical devices. The group also discussed cybersecurity, quality management principles and evidence development to assess the quality, safety and effectiveness of medical device servicing. The exploratory meeting was held November 29 in downtown Chicago.
AQMDS, or the Alliance, is an informal coalition of those who service medical devices. The meeting included the who’s who of the industry with representatives from original equipment manufacturers (OEMs), third-party providers and in-house biomeds. Representatives from health care organizations, AAMI, ECRI Institute, The Joint Commission, the FDA and other interested parties were also present.
“The Alliance for Quality Medical Device Servicing (AQMDS) is extremely pleased with the participation in, and successful outcome of, its Summit on the Safety, Quality and Effectiveness of Servicing Medical Devices held in Chicago on November 29th,” a prepared statement from AQMDS reads. “The Summit created a forum to continue the discussion around medical device servicing that led to the FDA’s May 2018 Report on the Quality, Safety, and Effectiveness of Servicing of Medical Devices. Specifically, the Summit engaged discussion on four topics from the FDA Report: (i), Promote the Adoption of Quality Management Principles (ii) Clarify the Difference Between Servicing and ReManufacturing (iii) Strengthen Cybersecurity Practices, and (iv) Foster Evidence Development. The engagement and enthusiasm from attendees representing OEMs, health care providers and in-house programs, third-party service and parts providers, the ECRI Institute, AAMI, Joint Commission and the FDA demonstrated to the Alliance that there is strong interest in these topics. The Alliance will publish a summary of the Summit’s key learnings in early 2019.”
The purpose of the meeting was to “advance the conversation,” said TRIMEDX General Counsel Tim McGeath, who served as a moderator at the meeting.
“Our objective today is to continue to build on discussions that started with the FDA notice and request for comment in spring of 2016,” he said to the more than 50 people attending the meeting.
“Our idea, given what’s happened over the last few years and the discussion that was started and the FDA report that was issued in May, was to build on that and see if we can get a broad group of constituents together and potentially form one of the collaborative communities that the FDA has suggested,” McGeath added.
Organizers were pleased with the turnout and participation in a series of open forum discussions regarding four action items outlined by the FDA in its ongoing look at medical device servicing and remanufacturing activities.
“We intended to hit these topics through informal discussions among the group on possible issues, questions, opportunities in these areas and potential ways where the different constituents can work together more closely to address any of these issues,” McGeath said.
The Alliance encouraged participation in an upcoming FDA public workshop entitled “Medical Device Servicing and Remanufacturing Activities” set for December 10. The Alliance also encouraged comments regarding the workshop be made by visiting https://www.regulations.gov, Docket No. FDA-2018-N-3741 by January 25, 2019.
“The intent of this public workshop is to publicly discuss the distinction between medical device servicing and remanufacturing activities to better inform the development of a future draft guidance. In addition, due to expressed interest from members of the medical device servicing and remanufacturing industry, the public workshop is also intended to discuss opportunities for collaboration among medical device servicing and remanufacturing stakeholders,” is how the FDA describes the December 10 event.
On May 15, 2018, FDA published on its website a report entitled “FDA Report on the Quality, Safety, and Effectiveness of Servicing of Medical Devices” (FDA Report on Device Servicing) in accordance with section 710 of the FDA Reauthorization Act of 2017 (FDARA). The FDA Report on Device Servicing discussed the continued quality, safety and effectiveness of servicing of medical devices by original equipment manufacturers and third-party entities. The report was informed by feedback and comments from an open docket and a public workshop held in 2016, among other information. Based on the available information, the FDA stated the current available evidence is not sufficient to conclude whether or not there is a widespread public health concern related to servicing of medical devices that would justify imposing burdensome regulatory requirements. The FDA Report on Device Servicing also included several actions the FDA intends on pursuing.
Clarifying the difference between servicing and remanufacturing activities is one of the actions outlined in the FDA Report on Device Servicing. The topic was discussed in detail at the Alliance meeting. Suggestions included the avoidance of vague words and phrases such as “significantly changes.” The discussion also touched on the possibility of “adding liability to the OEM” when a medical device is altered. Other mentions included “label marketing” and “intended use.” The group even explored how altering a medical device to improve its performance under unusual circumstances can void a warranty even if the modifications were needed to provide patient care.
Joshua Silverstein, a biomedical engineer from the FDA present at the meeting, spoke about the definitions, intended use and specifications. He directed everyone to refer to a flow chart in a recent FDA white paper (https://goo.gl/egufCY).
FDA intends to publish guidance to assist in differentiating these activities. The discussions at the upcoming workshop and comments received in the docket will be considered when developing the draft guidance. This draft guidance is on CDRH’s Fiscal Year 2019 (FY 2019) Program Guidance Development “A-list.”
The availability of device specifications continued to be a topic of discussion.
Before moving down the agenda to the next topic, those in the room recognized that an agreement on definitions for “servicing” and “remanufacturing” is needed to advance the conversation.
A 45-minute intermission seemed to add oxygen to the meeting space. Everyone seemed more relaxed for topic number two “Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices.” A key point of agreement was to gather data for every medical device as it is added to a facility’s inventory. The need to include specific information in a computerized maintenance management system (CMMS) to combat or enable quick reactions to cyber attacks was stressed. Pending legislation and the possibility that some things could be “forced on the industry” were also discussed. Legacy medical devices in use at health care delivery organizations create unique challenges that must be addressed by those charged with servicing equipment. Manufacturer Disclosure Statement for Medical Device Security (MDS2) was an important aspect of this conversation, but was seen as a starting point and not an all-encompassing long-term solution.
Chris Nowak, CBET, CHP, CSCS, senior director, information services, healthcare technology management at UHS, said his department has had cybersecurity challenges when it comes to some manufacturers.
“We’ve taken the approach that we couldn’t depend on the manufacturers. The OCR is going to fine us so the skin in the game is with us,” Nowak said. “Those fines can be very steep and damaging to the organization. We’ve had to take steps to mitigate those risks and that is all we are doing – we are managing risks.”
“I don’t think you can regulate this into the process,” he added. “We want to look to the government to fix all of our problems and I don’t think that is the solution. It really starts at the acquisition, the process when we are acquiring this hardware that we work with these business partners and those who don’t want to work with us, as end users, then we don’t do business with them. I think that is the solution we looked at in the capital sales situation, where we can impact our cybersecurity through business partners who want to work with us and provide us the tools on the security side of things.”
A bright spot in the conversation came via ECRI Institute’s Kate O’Rourke.
“A lot of the work we are talking about and the need for data standardization and collecting all that information is work that we currently do and we are working with some of you in this room to go ahead and do that,” she said. “Understanding there is a next level needed, capturing not just model and serial number information but getting into actual MAC addresses and whatever, that is something we are doing moving forward. We are actually going to start doing cybersecurity-related alert management. So for those of you who are familiar with us and know that we do recall management, we are launching in 2019 one dedicated to cybersecurity.”
The conversation shifted as those present discussed not only the devices themselves but the environment in which the devices are placed as well as the knowledge that additional technology is brought in and out of health care facilities on a daily basis by patients, providers and just about everyone who enters the building.
“It is really about not just the device, but the device and the environment,” TRIMEDX Vice President, QA/RA and Medical Technology Scott Trevino said. “That is really, from the clinical engineering perspective, where you have that ability to see what can be impacted. Is it on its own isolated network? Is it part of the total network? Are the ports disabled? All these sorts and types of things where you can impact device safety.”
An opinion was expressed that at least one facility sees this more as a budget concern.
“We’ve actually had some clients say ‘Don’t tell me about the vulnerabilities because then my risk management department says I have to solve them and I have no money to solve them right now,” another person present at the meeting shared. “But, they are taking the stance that it is cheaper to be ignorant. I don’t know that that is a good stance, but that’s what they are doing right now. This really isn’t just about the protection. It is about the overall risk profile of the organization and how they view what the impact or potential of this is.”
It was pointed out that the health sector is not high on hackers’ list of targets and that many problems or issues can be prevented or resolved with awareness, education and training of staff. However, it has been well documented that hackers are targeting health care information/records and it is well known that this information is much more valuable than other personal information being sold on the dark web.
Ransomware was discussed next followed by the disposition of equipment and how to be certain a device is sanitized in regards to patient information and possible wormholes. Many medical devices can be a gateway to a facility’s network that in turn can create more issues. Tabletop exercises and drills were suggested as means to prepare for and prevent some types of attacks.
In summary, the Alliance outline on cybersecurity included:
- Education and training
- Information profiling/sharing
- End of life
- Inventory
- Timeliness of patches
- Military operating system as an opportunity
- Personnel management
- Remote support
Robert Phillips from Siemens Healthineers added to the cybersecurity conversation.
“From the OEM perspective, it is certainly a concern for us. We are looking at this from a design perspective and trying to harden our designs so that they’re not susceptible to attack, but we’re also looking at it from the MDS2 certificate perspective. We are also looking at it from Software Bill of Materials that is being developed jointly between the industry, FDA and the Department of Defense,” Phillips said. “We are trying to understand how we can communicate the status of software in our devices better.”
He added that a joint effort is needed.
“I think this is a very important topic for this collaborative community to understand what we can do around providing better information on what threats are occurring across our industry, the status of patches for third-party software threats specifically, and whether they’ve been verified or validated by the manufacturer for application on their devices or if there is another opportunity to provide that validation from some other community entity,” Phillips said. “So, I think there was a statement from another attendee indicating that they may be doing patch validation independent of the manufacturer, and if they are willing to share that, and there is a way to do so in a safe way without incurring liability, I think that may be an opportunity for this community to address cybersecurity threats without solely relying on the manufacturer.”
After a lunch break, the group returned to the meeting room to discuss “Promoting the Adoption of Quality Management Principles.” In an effort to jumpstart the conversation, the group was asked to explain the difference between a quality management system and quality management principals.
A discussion about different International Organization for Standardization (ISO) standards such as ISO 9001 and ISO 13485 followed. The conversation revolved around a central theme that earning a quality management certification does not necessarily mean one company is better than another. The group stressed that it comes down to each individual company and its practices. A certification for the same ISO standard can have different requirements set by each company.
A need for standardization, sharing data and looking to other industries for examples on how to advance were all discussed. The aviation industry was referenced more than once as a model the health care sector should consider. The idea of a common nomenclature shared throughout the industry was seen as a need.
Dave Francoeur, senior director of brand and quality for Sodexo Clinical Technology Management, served as one of the moderators for the meeting. His input on quality management helped generate more conversation on the topic.
“Will a QMS system enhance the quality and safety of the organization? And, if the answer to that is yes, then the next question is what does that look like?” Francoeur asked.
“So, Dave, that is a good point,” Nowak said. “The problem is, we have manufacturers who have ISO 13485, 9000, and I can show you time and again in my facilities where I have OEM representation servicing the equipment and I have better results with my team servicing the same equipment but that is because, again, it comes down to the individual. A company can put all these regulations in place, the government can regulate the living daylights out of us, it comes down to you as a leader, your programs, how you are running your programs, how you train your individual, who you are hiring – it starts out with who you are hiring. Hire the right people.”
Summit Imaging CEO Larry Nguyen voiced an opinion that third-party service providers like Summit Imaging should be required to have a quality management system.
“If we had to say if there is a QMS out there for independents like us that improves quality it is an unequivocal yes,” Nguyen said.
He said Summit Imaging’s QMS is certified under the ISO 13485:2016 international standard and has successfully passed four consecutive audits.
“Those organizations in health care that are not governed and monitored by the FDA and/or Joint Commission should comply with 13485:2016 standards. This QMS is designed to continually improve quality, which is the very objective of the system,” Nguyen said. “It is essential to ensure the quality of products ISOs deliver to health care facilities and the 13485:2016 system is a healthy baseline for any organization. This improves patient care through the deployment of quality products while reducing costs. Both are beneficial to the patients we all serve and helping them is a responsibility we all carry.”
Other aspects of the conversation included FDA traceability; non-punitive reporting of near misses, accidents and mistakes; vendor validation; MITA expansion of the scope of the NEMA American National Standard for Servicing of Medical Imaging Devices; and AAMI EQ56.
The fourth area of concentrated conversation was titled “Fostering Evidence Development to Assess the Quality, Safety and Effectiveness of Medical Device Servicing.” A need to set benchmarks and thresholds was discussed as well as a need for regulation. The group attempted to answer the question “Are there things you think we can or should be collecting?”
“People might not like what I am going to say, but this is kind of where regulation comes in, right? So, there are other parts of health care that are doing data collection very well, very effectively and are getting meaningful learnings out of it,” O’Rourke said.
“Regulation drives compliance,” she added. “And then, within the regs, you have to determine what are the key points. What is the common vernacular and that nomenclature that you need? ECRI lives in data. We live in evidence and evidence-based processes, but it is having that regulation that is dictating. With PSOs it is mandatory to be part of one to participate in the exchanges. So, that is what is really driving that data collection and we can see trending and we can do deep dives into certain topics whether it’s opioids or falls or behavioral health or whatever it may be, but unfortunately a bunch of people in room saying ‘Yeah, we think this is a good idea’ isn’t going to drive compliance or contributing to that data set.”
Tracking repairs, preventative maintenance and the sharing of data with OEMs generated input from several key stakeholders present at the meeting. One idea was the need for consequences when issues are not reported. A need to prevent “hidden recalls” or OEM “enhancements” to devices was also explored in the conversation.
In conclusion, the Alliance was pleased with the turnout for its first meeting and the feedback it was able to generate. This start to a collaborative community was seen as a success as the organization encouraged everyone present to continue to share ideas. A desire to continue the discussion at the December 10-11 FDA public workshop and at future meetings was an important take away from the forum.
Several participants thanked those in attendance for taking time to be present and share their insights and concerns.
“I give the group a pat on the back,” AAMI President and CEO Robert Jensen said. “This has long been necessary.”
“I think this initial gathering was a success,” McGeath added.