Blog Tag: Medical Device Software
Cybellum released a medical device survey report on April 20, 2022 entitled “Medical Device Cybersecurity: Trends and Predictions.” The company’s website states that their “mission is to enable manufacturers and their suppliers to develop and maintain products that aren’t just safe, but are also secure.”
According to the company website, in preparing the new report, Cybellum “asked top security experts from hundreds of medical device manufacturers, about their main challenges and how they plan to solve them in 2022, and beyond.”
Cybellum lists the following key findings from the report:
Almost 90% admitted they need to improve on key areas, such as SBOM [software bill of materials] analysis and compliance readiness
Over 55% do not have a dedicated response team (PSIRT) in place
Almost 55% increased their cybersecurity budget by more than 25% in 2022
Other media outlets described the report as finding “widespread cybersecurity noncompliance despite rising investment,” and “[m]ore than half of medical device companies think they are noncompliant with cybersecurity regulations, standards and guidelines.” Further, “compliance with requirements ranged from 54% for Food and Drug Administration premarket submissions to 37% for International Medical Device Regulators Forum (IMDRF) cybersecurity principles and practices.”
According to MedTechDive, the report states that “[m]ore than 80% of respondents see device security as a competitive advantage and almost every polled company increased its security budget this year. However, 78% of those surveyed indicated they are doing the minimum to achieve compliance and 80% view device security as a ‘necessary evil’ imposed by regulators.”
According to a press release by Cybellum, “[m]edical device cybersecurity has become an extremely complex challenge. With medical devices becoming software-driven machines, and the rapid pace at which cybersecurity risk evolves due to new vulnerabilities, complex supply chains, new suppliers, and new product lines, it has become seemingly impossible to keep the entire product portfolio secure and compliant at all times. It is now more important than ever to learn from peers and try to find the best way forward.”
The full text of the survey report can be found here.
On November 3, 2021 the FDA issued draft guidance titled “Content of Premarket Submissions for Device Software Functions.” The final version will eventually replace the FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices,” originally released in May 2005.
In a press release Bakul Patel, director of the FDA’s Digital Health center, stated:
“As technology continues to advance all facets of health care, software has become an important part of many products and is integrated widely into medical devices. The FDA recognizes this evolving landscape and seeks to provide our latest thinking on regulatory considerations for device software functions that is aligned with current standards and best practices.”
The draft guidance pertains to software in a medical device (“SiMD”) and software as a medical device (“SaMD”). The Regulatory Affairs Professional Society (RAPS) describes SiMD as “software that is a part of a medical device or controls it” and SaMD as “software that meets the definition of a device but is not part of the overall device’s hardware.” According to the FDA, both SiMD and SaMD are “device software functions.”
The draft guidance is intended to cover: firmware and other means for software-based control of medical devices, stand-alone software applications, software intended to be operated on general-purpose computing platforms, dedicated hardware/software medical devices, and accessories to medical devices when those accessories contain or are composed of the software.
Portions of the draft guidance to consider include the software device documentation and software risk management requirements. Software may require a basic or enhanced level of documentation, depending on risk to a patient, user, other individual, or environment. A risk assessment and risk management plan may be required.
The draft guidance can be found here.
The market for medical device connectivity is projected to reach about $2.6 billion by the year 2023, according to a report published in April 2018 by several publishers. The report states that the connectivity market for 2018 is expected to be about $940 million. This equates to a compound annual growth rate (CAGR) from 2018 to 2023 of 23.2%.
According to news articles, the report states that “[t]he growth in this market is attributed to the increasing penetration of [electronic health records] and health information exchange systems in healthcare organizations, growing focus on care quality and patient safety, healthcare IT initiatives driving the integration of medical devices with hospital information systems, and the growing need to curtail healthcare costs through a connected healthcare environment.”
From 2018 to 2023, the medical device connectivity market CAGR is estimated to be 23.2%
The report further states the medical device connectivity services segment, as opposed to the device connectivity solutions segment, is anticipated to grow at the maximal CAGR during the “outlook period” from 2018 to 2023. The report divides the technology sectors into wired, wireless, and hybrid technologies. The wireless segment is projected to register the highest CAGR during the outlook period.
The report also breaks down the relevant markets into hospitals, home healthcare, ambulatory care settings, and imaging & diagnostic centers. It finds in 2017 hospitals controlled the medical device connectivity market. The report also finds that North America is expected to grow at the highest CAGR during the outlook period, followed by Europe.
The increase in the market is attributed in the report to “growing funding towards innovative projects in the medical market, [the] need to curtail the escalating healthcare costs in the USA, the presence of a big number of healthcare IT firms, rising investments in the healthcare sector by top market players, and increasing awareness about advanced technologies.”
According to an Apple press release, iPhone users will now be able to store and view their medical records on their phones as part of a new feature found in iOS 11.3. Although many patients are already familiar with clinic-specific patient portals, Apple’s new Health Records feature is said to allow patients to download their medical records from a variety of hospitals and clinics, and consolidate those records on their iPhone.
According to Apple, the Health Records feature can be found in Apple’s Health app on updated devices. The Health Records feature allows participating hospitals and clinics to transfer medical information to a users device. The patient’s medical record data will be stored along with their own patient-generated data in the consolidated Health app. Users will be able to view recorded allergies, clinical vitals, conditions, immunizations, lab results, medications, procedures, and similar information. Users will also be notified whenever their data is updated, such as when lab results are received.
Apple notes that in the past, patients’ medical records were held in multiple locations, requiring patients to log into each care provider’s website and piece together the information manually.
The press release notes that data within the Health Records feature will be encrypted and protected with the user’s iPhone passcode. Moreover, no health record data passes through Apple’s network. Instead, Apple relies on Fast Healthcare Interchangeability Resources (FHIR) and related application programming interfaces (APIs) to transmit the data from a hospital or clinic’s electronic health record (EHR) system directly to a user’s device over an encrypted connection.
As a result, Apple maintains that it does not create, transmit, or receive any protected health information for or on behalf of a covered entity or business associate. Nevertheless, if a user chooses to sync their health data with iCloud, the data will be encrypted in transit and for storage on Apple’s servers.
With the push to provide patients with their digital health information comes a push for FHIR, solidifying the technology’s viability as a solution to the federal mandate that providers allow patients to access electronic versions of their health records
Apple notes that at this time, around 40 hospitals and clinics are participating, including Johns Hopkins, Cedars-Sinai, Penn Medicine, UC San Diego Health, and Geisinger Health System.
Recently, digital currencies, such as bitcoin, have greatly increased in popularity. Some of this popularity may be attributed to digital currencies’ many purported advantages over traditional currencies, such as that blockchain technology allows for a distributed and cryptographically secure ledger without the use of traditional banking institutions. Newer and more advanced digital currencies have recently been introduced with the added advantage of smart contracts, which are said to be self-executing contractual clauses that may be programmed into a digital currency transaction. As such, many new digital currencies have been appearing with individuals investing in Initial Coin Offerings (ICOs), which are somewhat akin to the Initial Public Offerings (IPOs) of a traditional corporation.
Even more recently, a few companies have begun to make use of digital currencies and blockchain technology in the medical arena. Many have found blockchain technology uniquely suited to secure patient records, and have found that the smart contracts of digital currencies may allow individuals greater control of their medical data. Below is a summary of a few fields of medicine and companies within those fields in which digital currencies and blockchain are already being developed.
Medical Records and Health Data
According to The Merkle, Bowhead Health is the first medical device company using their AHT digital currency tokens with smart contracts to create a new medical data market. The company plans to allow individuals with Bowhead’s digital currency to control the dissemination of their medical data, and also to compensate those individuals if and when they choose to share with research institutions. Bowhead’s AHT tokens are said to allow 70% of research fees to be distributed to users with the other 30% going to token holders.
According to Blockchain News, Medicalchain is a UK-based company using blockchain technology to allow patients to securely store and send their medical records to their healthcare professionals. Medicalchain is said to allow patients to have a centralized medical record accessible from anywhere in the world, and allow individuals the ability to control medical institutions’ access to their records.
The Medical Society of Delaware has partnered with the company Medscient, and they are using blockchain technology to create a proof-of-concept platform to allow insurers and medical care providers to access patient records, according to The Cointelegraph. The article further states that this partnership was made possible when the state of Delaware became the first state to pass a law allowing the use of blockchain technology in business for stock trading and record-keeping.
The Illinois Blockchain Initiative has partnered with Hashed Health to create a pilot program to streamline the process of issuing and tracking medical licenses, according to The Cointelegraph. The goal of this partnership is said to give patients and healthcare providers a transparent license registry system that uses smart contracts to automatically update information.
Medicine and Artificial Intelligence (AI)
According to news sources, Doc.ai is a collaboration between developers from the universities of Stanford and Cambridge, and is said to be creating a platform built on blockchain technology and using AI to create a resource to answer patient’s specific questions regarding their personal health records and their physician’s analysis.
On May 30, 2017, Bayer announced FDA approval of a supplemental Biologics License Application for Bayer’s myBETAapp™ and BETACONNECT Navigator™. The myBETAapp joins the growing field of medical mobile applications, which the FDA predicts will reach 1.7 billion smartphone or tablet users by 2018.
According to Bayer, the myBETAapp connects their BETACONNECT autoinjector (for delivering BETASERON®, a therapeutic agent for multiple sclerosis) to a patient’s mobile device or computer, and the BETACONNECT Navigator functions as a tool to view data uploaded by the myBETAapp.
According to the myBETAapp user instructions, the application will:
- Display scheduled injections according to an injection routine
- Allow the user to determine when an injection is scheduled
- Display suggested injection sites based on the injection sites shown in the prescribing information for BETASERON®
- Display a monthly calendar of recorded, missed, and scheduled injections
- Transfer and sync data recorded by the autoinjector to the corresponding injection in the calendar
- Send a notice to record injection data to the patient via email
In the press release, Bayer describes the myBETAapp and BETACONNECT Navigator as allowing further connection between the patient and the healthcare team by, with the patient’s permission, providing access to the patient’s injection history. The application is also advertised as providing further connectivity to a BETA Nurse for patients enrolled in BETAPLUS®, Bayer’s patient support program.
According to Dr. Kantor, President Emeritus, Florida Society of Neurology:
The myBETAapp and BETACONNECT Navigator work cohesively together to support communication and connection between people living with relapsing remitting multiple sclerosis and their BETA Nurse and health care team.
Bayer reports that the myBETAapp will be available for free download from the Apple app store, Google Play Store, or Betaseron.com by mid-July 2017.
The WannaCry virus has infected and frozen computers in many industries around the world. According to a news source report, the virus has extorted doctors and hospital administrators for the keys to unlock and regain access to their systems in order to treat patients. The Telegraph reports that in the United Kingdom alone, up to 40 hospital trusts were hit by the WannaCry ransomware virus, which resulted in a wave of cancelled appointments and a general state of disarray. Recently, the BBC has stated that at least 16 of these hospitals are still facing issues. With the widespread damage associated with the WannaCry virus, many experts have advocated that the medical device industry should be on alert, now more than ever, regarding the cyber security of their medical devices.
Although the issues associated with medical device security have recently been discussed, some industry professionals believe there does not seem to be an adequate solution to the problem of device security. Tressa Springman, the CIO of LifeBridge Health, explains:
“There’s a lot of talk in healthcare about device security. Discussions about what we’re comfortable pushing as endpoint security and what we’re unable to do – because certainly, we don’t want to create any harm to patients. Many of these devices and the vendors who manage them, it’s very hard to go direct on patching and adding security.”
While medical devices are generally tested extensively for safety, some cybersecurity experts have observed the same cannot necessarily be said for security. Brian NeSmith, co-founder and CEO of cyber security company Arctic Wolf Networks, has stated:
“Medical devices, similar to many other IoT devices, were not designed with rigorous security in mind and are more vulnerable to being hacked. They also do not fall under normal security operations procedures since they are used as needed by the medical practitioners and not deployed and maintained by the IT department.”
Security experts are emphasizing the importance of security patches. Optimistically, Richard Staynings, the principal cybersecurity healthcare leader at Cisco’s Security unit, believes:
“This is going to cause a paradigm shift, at least for patching.”
The U.S. Food and Drug Administration announced the availability of a draft guidance for the clinical evaluation of software as a medical device (SaMD). The draft guidance was prepared by the SaMD Working Group of the International Medical Device Regulators Forum (IMDRF), an international group of medical device regulatory authorities including the FDA. When finalized by the IMDRF, the draft guidance will represent the FDA’s “current thinking” on SaMD clinical evaluation and will not be binding.
SaMD is defined in the guidance as software that functions as a medical device and can run on a general purpose computing platform, “without being part of a hardware medical device.” Unlike other medical device-related software, SaMD primarily has risks associated with incorrect output affecting clinical management of a patient, rather than risks resulting from direct patient contact. Thus, the guidance is intended to address the “uniqueness of indirect contact between patients and SaMD” and provide globally harmonized principles for establishing scientific validity, clinical performance, and analytical validity for a SaMD.
The FDA is seeking public comment on the draft guidance generally, and related to eight specific issues:
Does the document address the intention captured in the introduction/scope or vice versa?
Does the document appropriately translate and apply current clinical vocabulary for SaMD?
Are there other types of SaMD beyond those intended for non-diagnostic, diagnostic and therapeutic purposes that should be highlighted/considered in the document?
Does the document adequately address the relevant clinical evaluation methods and processes for SaMD to generate clinical evidence?
Are there other appropriate methods for generating clinical evaluation evidence that are relevant for SaMD beyond those described in the document?
Are the recommendations related to the “importance of clinical evidence and expectations” appropriate as outlined for the different SaMD categories?
Are the recommendations related to the “importance of independent review” appropriate as outlined for the different SaMD categories?
Given the uniqueness of SaMD and the proposed framework—is there any impact on currently regulated devices or any possible adverse consequences?
The draft guidance is available for comment until December 13, 2016.
The U.S. Food & Drug Administration (FDA) issued a proposed guidance on August 8, 2016, regarding software changes to medical devices. The proposed guidance relates to requirements for submitting medical device software changes to the FDA for approval. The final document will provide assistance to medical device companies and the FDA for determining when changes to software or firmware for a medical device require FDA clearance. The medical devices covered include 510(k)-cleared devices and preamendments devices subject to 510(k).
The FDA’s proposed guidance explains that premarket notifications are generally submitted for commercially-distributed medical devices undergoing significant changes in design. Such changes include modifications that “could significantly affect the safety or effectiveness of the device” or a “major change or modification in the intended use of the device.” The proposed guidance relates to software changes and is an update to the original guidance issued in 1997 regarding changes to existing devices.
The “software” subject to the proposed guidance is defined as “electronic instructions used to control the actions or output of a medical device, to provide input to or output from a medical device, or to provide the actions of a medical device.” This includes software embedded in a device, software that is an accessory to another device, and “software that is intended to be used for one or more medical purposes that performs these purposes without being part of a hardware medical device.”
The FDA provides a flow chart for assisting with the determination, see below. Issues addressed in the determination include changes related to: strengthening cyber security; meeting specifications of the most recently cleared device; introducing or affecting hazardous situations; creating new risk control measures; and affecting clinical functionality or intended use of the device. Additional factors to consider beyond those in the flow chart and some examples of modifications are provided in the draft guidance as well.
The proposed guidance notes that in some cases a new 510(k) is not necessary, and that existing Quality System (QS) requirements may suffice. Such QS requirements mandate, among other things, that the manufacturer maintains records, for production upon request, regarding such changes and the processes used to determine the changed device meet the design specifications. Further, the proposed guidance does not apply to software for which the FDA has previously said it will not enforce compliance, including some mobile apps used with medical devices.
Some observers think the proposed guidance will help with improving cybersecurity of connected medical devices. The public may provide comments to the FDA on the proposed guidance until November 7, 2016: comments may be submitted electronically here.
Apple announced CareKit on Monday, a new, open-source software framework designed to help app developers in the medical care space enable people to actively manage their own medical conditions. The press release states that:
“[A]pps using CareKit make it easier for individuals to keep track of care plans and monitor symptoms and medication; providing insights that help people better understand their own health. With the ability to share information with doctors, nurses or family members, CareKit apps help people take a more active role in their health.”
According to the press release, CareKit is not an app itself but rather a software developer kit, or SDK, that can be used by the developer community to create apps. As such, general users of Apple’s products won’t directly use CareKit, but in the near future those with specific health needs may find themselves using third-party software designed using Apple’s new platform. Apple’s press release indicates that apps already being built using this SDK. These include apps for Parkinson’s disease patients, post-surgery progress, managing chronic health conditions, home health monitoring, diabetes management, mental health and maternal health.
According to the press release, CareKit will be released as an open source framework allowing the developer community to build on the first four modules designed by Apple. Apple’s existing modules include: (1) Care Card for helping people track individual care plans and action items; (2) Symptom and Measurement Tracker for recording patient symptoms; (3) Insight Dashboard for mapping symptoms in the Symptom and Measurement Tracker against the action items in the Care Card to show how treatments are working; and (4) Connect for sharing of information and communication with care providers.
DMH International announced today that its subsidiary, Touch Medical Solutions, Inc. (TMSI), has received approval from the United States Food and Drug Administration for TMSI’s “TouchPACS” medical imaging software suite. According to the press release:
TouchPACS is a cutting edge software suite for the PACS medical imaging market (Picture Archiving and Communications Systems). The market was valued at approximately $2.8 billion in 2010 and it is expected to grow to over $5.4 billion by 2017 . . . .
The press release states that DMH International, through TMSI, specializes in PACS, electronic hospital records, electronic medical records, personal health records, medical transcription, and paperless medical office solutions. The press release is available here.