Stay updated with the most recent editions of ODT Magazine, featuring comprehensive coverage of the latest innovations and developments.
Access the full digital version of ODT Magazine, complete with interactive features and enhanced content for a seamless reading experience.
Join the ODT community! Subscribe to receive the latest industry news and insights delivered directly to your mailbox.
Discover how 3D printing and additive manufacturing are revolutionizing orthopedic device design and production processes.
Learn about contract manufacturing solutions in the orthopedic sector, emphasizing quality, compliance, and operational excellence.
Stay informed on the latest research and development trends in orthopedic device design, driving innovation and patient care improvements.
Explore the latest advancements in surgical instruments and technologies that enhance precision and outcomes in orthopedic procedures.
Discover cutting-edge machining and laser processing techniques that improve the quality and performance of orthopedic devices.
Learn about the innovative materials shaping orthopedic devices, focusing on performance, biocompatibility, and regulatory compliance.
Stay updated on advanced molding techniques for producing high-quality orthopedic components that meet industry standards.
Explore best practices for packaging and sterilization methods that ensure the safety and efficacy of orthopedic devices.
Discover the role of software solutions in enhancing orthopedic device design, functionality, patient management, and regulatory compliance.
Learn about essential testing methods and standards that ensure the safety, reliability, and effectiveness of orthopedic devices.
Stay ahead with real-time updates on significant news impacting the orthopedic device sector.
Access unique content and insights not available in the print edition of ODT Magazine, offering deeper dives into important topics.
Explore feature articles that provide in-depth analysis on specific topics within orthopedic design and technology.
Gain insights from industry experts through regular columns addressing critical challenges and innovations in orthopedics.
Read the editorial insights on current trends and highlights from the latest issue of ODT Magazine.
Discover leading companies in orthopedic design and technology, showcasing their innovations and contributions to the field.
Explore detailed profiles of companies in the orthopedic device manufacturing sector, highlighting their capabilities and offerings.
Learn about the expertise and resources of leading companies in the orthopedic device manufacturing sector.
Watch informative videos featuring industry leaders discussing trends, technologies, and innovations in orthopedic design.
Enjoy short, engaging videos that provide quick insights and updates on key topics within orthopedics.
Tune in to discussions with industry experts sharing their insights on trends, challenges, and innovations in orthopedic technology.
Participate in informative webinars led by industry experts covering various relevant topics in orthopedic design and manufacturing.
Stay informed on the latest press releases and announcements from leading companies in the orthopedic device manufacturing sector.
Access comprehensive eBooks that delve into various topics in orthopedic device manufacturing and innovation.
Highlighting the pioneers and innovators driving advancements in orthopedic technology and patient care.
Explore sponsored articles and insights from leading companies in the orthopedic industry.
Read in-depth whitepapers that examine key issues, trends, and research findings in orthopedic design and technology.
Discover major industry events, trade shows, and conferences focused on orthopedic technology and innovations.
Get real-time updates and insights from major industry shows and exhibitions happening around the world.
Participate in the ODT Forum, addressing orthopedic design and manufacturing technology trends, innovations, and industry challenges.
Attend the MPO Summit for insights and strategies from industry leaders shaping the future of medical device technology.
Join discussions and networking opportunities at the MPO Medtech Forum, focusing on the latest trends and challenges in the industry.
Explore advertising opportunities with ODT to connect with a targeted audience of orthopedic professionals.
Review our editorial guidelines for submissions and contributions to ODT.
Read about our commitment to protecting your privacy and personal information.
Familiarize yourself with the terms and conditions governing the use of odtmag.com.
What are you searching for?
Navigating through these changes is akin to an archer hitting a moving target; it requires constant adjustment.
August 8, 2024
By: Meredith P. Vanderbilt
Director of Consulting, Empirical
Have you ever experienced the frustration of trying to hit a bullseye on a moving target? In the medical device industry, cybersecurity is one of the fastest-moving targets. Medical device companies are now faced with the challenge of becoming archers as skilled as Katniss Everdeen to adjust their aim to the cybersecurity target in motion. As we discussed in “Process and Design Looping: Medtech’s Total Product Lifecycle,” all products should travel a circle of collecting feedback, improving the product, and verifying the modifications, but that product lifecycle is much faster for cybersecurity. Hackers and evildoers are working day and night to find and exploit the vulnerabilities of these devices.
A 2022 report from the FBI cited research that found 53% of digital and connected hospital devices had known vulnerabilities. It is likely that when these devices were first commercialized they were not vulnerable, but they have not been updated to deflect more recent and innovative threats. In 2020, a ransomware attack on a German hospital forced an ambulance to be turned away to another hospital 32 kilometers away and a woman died as a result of the delay of treatment: “The attack compromised the digital infrastructure that the hospital relies on to coordinate doctors, beds, and treatment, forcing the cancellation of hundreds of operations and other procedures. It also limited the hospital’s capacity drastically: whereas it normally treats more than 1,000 patients each day, it could attend to no more than half this during and after the attack.”
Another ransomware attack occurred in the last month on the nationwide Ascension hospital network and the clinical staff had to suddenly shift to a paper-based system. This slowed the internal processes for medications, diagnoses, and treatment. The industry as well as the FDA recognizes the importance of preventing a digital attack on our medical system, which is why the FDA released an updated final guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” on Sept. 27, 2023.
This guidance, among other things, provided directions on what to include for cybersecurity testing for premarket approval submissions. However, this final guidance left the defining boundaries of the target blurry for many. In the few short months since the release of this final guidance, FDA has heard cries from the industry for more clarification from the agency for what is considered the center of the target one must hit to comply with Section 524B of the FD&C Act. FDA recently released a draft of select updates for the cybersecurity guidance that are in the works to provide additional information on cybersecurity and hosted a webinar to provide more insight into the updates.
As technology continues to advance, even something as simple as the definition of a cyber device is evolving. In FDA’s select updates draft guidance, one of the major definitions is clarified: the “ability to connect to the internet” may be intentional or unintentional, both of which deem the device as a “cyber device.” This means devices not intended to be connected to the internet, but have the ability to be, will be considered a cyber device and required to provide all relevant documentation. The full definition of a cyber device is one that “(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.” Additionally, the FDA provided examples of devices that have the ability, even unintentionally, to connect to the internet:
These proposed definitions might be shocking to some who have digital health devices not intended to connect to the internet but might have the hardware or firmware to connect to the intranet or other digital health devices. Although legacy devices are currently marketed based on previous clearances, updates to hardware, firmware, and software might be needed to meet the new definitions and expectations. This means that internal procedures and processes should be updated to reflect these new expectations.
Another area of concern from the final guidance surrounded Section 524B(b)(1) of the FD&C Act, which “requires manufacturers of cyber devices to submit to FDA ‘a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures’ in their premarket submissions.” The challenge for device manufacturers is that these vulnerabilities are changing continuously; just when one is identified, another is exposed. Industry demanded more clarification from FDA on the expectations of such a plan. This clarification is addressed in the draft guidance with clarification on what to include for coordinated vulnerability disclosure:
Cyberattacks are evolving and expose new vulnerabilities every day. Medical device companies are responsible for responding to this changing landscape as they make plans to include updates as new threats, assets, or vulnerabilities are identified on both marketed devices and devices no longer marketed, but still in use. Such a situation may have companies cross-eyed as they aim to hit one target by addressing vulnerabilities in a software update, while also needing to hit a second target by addressing existing vulnerabilities in the old software version before the update is completed. Because of this requirement, all digital health manufacturers must have an effective process in place to identify and mitigate all newly identified threats and vulnerabilities in a “reasonable time.” The question for the FDA and the industry to answer together is what a “reasonable time” is. This is part of the moving target archers are seeking to hit.
Manufacturers of cyber devices must “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure…” (section 524B(b)(2) of the FD&C Act). FDA states in the draft guidance that “reasonable assurance of cybersecurity can be part of FDA’s determination of a device’s safety and effectiveness,” but what does “reasonable assurance” really mean? This is a second question for the FDA and the industry to answer.
Metaphoric archers may also be challenged to extend their skills when it comes to predicate comparisons for cyber devices. The draft guidance gives an example of a situation where the subject device is identified to have an increased risk, due to a newly identified cybersecurity vulnerability, compared to a predicate resulting in a not substantially equivalent decision.Medical device companies and regulators will be further challenged to evaluate risks associated with cybersecurity when considering predicate devices.
The draft guidance draws more defined boundaries around the topic of changes to cyber devices. It provides examples of changes that may impact cybersecurity requiring additional documentation versus examples of changes that wouldn’t impact cybersecurity. This clarification aims to help determine what situations lead to additional submission requirements.
In order to keep up with the world of cybersecurity, the medical device industry must adapt and overcome new challenges to ensure the safety of their devices. Navigating through these changes is akin to an archer hitting a moving target; it requires constant adjustment. The FDA and industry are working together to define the boundaries of this moving target. The draft guidance document aims to provide more clarification on the FDA’s current positions on cyber devices to assist the industry in hitting the bullseye. It is more critical than ever that manufacturers have sufficient processes in place for design development, testing (including cybersecurity), feedback, and security updates for all digital health devices.
Hannah Taggart is a forward-thinking biomedical engineer and regulatory associate with Empirical Technologies who is helping to navigate clients through the complex regulatory landscape to provide innovative and compliant medical devices for their patients.
Meredith P. Vanderbilt is an internationally known medical device regulatory affairs consultant unafraid to communicate directly and honestly with regulatory bodies and clients about strategies and submissions to provide compliant and high-quality devices to the market.
Enter your account email.
A verification code was sent to your email, Enter the 6-digit code sent to your mail.
Didn't get the code? Check your spam folder or resend code
Set a new password for signing in and accessing your data.
Your Password has been Updated !
