Tag Archive for: medical device

This is a guest post from Velentium, which provides assistance throughout all stages of medical device development. Velentium is a partner of Jama Software, and this post originally appeared on the company’s blog

On October 18th, 2018, the FDA released a draft guidance named “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” Even though most of the activities and deliverables in the 2018 guidance had been the FDA’s expectations for the previous 12 to 18 months, they were not publicly documented and available to the industry until that time.

(For a complete breakdown of the 2018 Guidance, download our white paper).

The FDA has been working steadily to update the 2018 guidance, taking into account industry feedback as well as input from subject matter experts in medical device cybersecurity, including Velentium’s own Christopher Gates. The estimated final release date for these updates is the end of 2019 but bear in mind, the published draft does reflect the FDA’s current expectations for submissions!

In this post, we offer insight into anticipated changes coming in the official update. Chris’ vantage point within the industry, involvement with special interest groups, and regular contact with regulatory bodies provide us a high degree of confidence about these changes. Even so, they should not be taken as “gospel truth” until we have official FDA confirmation in the form of a published revision to the guidance.

That said, here are five (5) changes we look forward to seeing in the official update.

1. Removed: References to “Likelihood”

We view this as an extremely positive change because, as we’ve written before, “Likelihood” really has no bearing in cybersecurity. This is one place where cybersecurity management diverges sharply from quality management: when you’re mitigating patient risk due to failures, there is no malicious intent at work trying to cause any particular subsystem to fail; therefore, the likelihood that it might fail is useful to know. But as soon as malicious intent enters the picture, likelihood ceases to be relevant because there’s no way to predict whether a given vulnerability will be discovered and attacked by a malicious actor.

Even if it were possible to estimate the probability that a given attack vector will be utilized or a given system vulnerability discovered and exploited, it wouldn’t be practical information to have. Demonstrating device security to regulators is about mitigating vulnerabilities, period. It is not about arguing, based on some trumped-up metric of “likelihood,” that you don’t need to mitigate certain vulnerabilities because no-one will ever find them.

(Note that “Likelihood” of attack is not the same thing as “Difficulty” of attack, which is useful to know and part of all industry-accepted vulnerability scoring systems).

2. Replaced: the CBOM Requirement is Now an SBOM Requirement

In other words, the hardware element of the Component Bill of Materials (CBOM) will not be required, but the software element still will be. As a quick refresher, this means:

“A list of commercial, open-source, and off-the-shelf software components to enable device users (including patients, providers, and healthcare delivery organizations (HDOs)) to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device’s essential performance.”

(Source: FDA 2018 Cybersecurity Guidance)

Depending on the system, the SBOM will include all third-party software components (libraries, operating systems), and will also need to be machine-readable. Finally, the SBOM needs to be cross-referenced to a vulnerability database, such as the NVD, as a manufacturer will want to show that currently there are no known vulnerabilities. Failing to include this will almost certainly result in a pre-market submission rejection.

3. Replaced: 2018’s 1-2 Tier Structure

Not much is known yet about the pending overhaul of 2018’s security risk rating system for scaling and assigning a metric to a device, but we do know that it will not be tied to Device Risk Rating (I/II/III), or to Software Classification (A/B/C), which are based on user risk. Rather, it will be based on something else, still to-be-announced. Keep an eye on our blog — we’ll post more when we know more!

4. Revised: Guidance on Investigational Device Exemption Submissions

In the 2018 draft, a footnote on page 5 indicated that manufacturers “may… consider” applying the principles described in the Cybersecurity Guidance to Investigational Device Exemption submissions. This language will be clarified to reflect that the FDA does not consider good cybersecurity development practice “optional,” either for Investigational Device Exemption submissions or Institutional Review Board submissions.

The takeaway here is straightforward: if you plan to deploy or utilize your device at any stage of development in any way that requires first securing approval, you must demonstrate that you have taken all appropriate measures to secure your device.

At Velentium, we practice and highly recommend the secure development lifecycle. Our approach, in which security is fully integrated into the project lifecycle from Phase 0, not only ensures that your device will be compliant and that you will have generated all the artifacts needed for submission well in advance, but also that you will have identified and mitigated any threats to your business model that could stem from the project. Contact us to learn more.

5. Reformatted: the Entire Guidance.

Finally, expect a format overhaul of the PDF itself. The 2018 draft attempted to follow the layout from FDA’s initial cybersecurity guidance (originally issued in 2014), but this has proved to be a suboptimal way to organize the new content.

If your current project includes documentation that you are tracing to the structure of the guidance, you may want to hit “pause” on populating that trace matrix (unless you expect to submit those documents before the update is published). Other than that, the reformatting should have a minimal impact except to make the guidance content easier to understand.

Grifols Improves Medical Device Development

Spanish multinational pharmaceutical and chemical manufacturer Grifols is the leading producing of blood plasma-based products. With over 21,000 employees in its four divisions—Bioscience, Diagnostic, Hospital, and Bio Supplies— Grifols develops, produces, and markets innovative medical device solutions and services in more than 100 countries.

As a leader in the future of healthcare, Grifols strives to set the standard for continuous innovation, quality, safety, and ethical leadership. On an operational level, it knew that its requirements and risk management processes played a key role in facilitating innovation, and its current solution wasn’t up to the task.

Grifols Sees Opportunities for Process Improvement

When Grifols’ Diagnostic division began a new project in 2018 to improve the management of disease detection in blood bank laboratory operations, the company knew it had an opportunity to improve its requirements and risk management processes. While the company’s legacy solution had served its purpose for many years, the task of reviewing requirements was arduous. The solution was also unable to facilitate the collaboration needed to keep the project’s team — split between Spain and the United States — on the same page.

“Our globally dispersed teams need to work on the same projects and using our previous legacy solution was very slow,” said Carmen Pazos, Diagnostic Divisions R&D Instruments Senior Manager at Grifols. “We experienced performance issues. We were looking for a way to expedite the process.”

Legacy Solutions Impede Innovation in Medical Device Development

Not only were the processes tedious and error-prone, but since Grifols’ products are considered medical devices, they must also comply with ISO 14971 — the standard for the application of risk management to medical devices. So, on top of Grifols’ manual process being time consuming, it also made things difficult to document and prove compliance.

It was then that the Diagnostic division was introduced to the solution that Grifols’ Hospital division had been successfully using. “When I saw how Grifols was already using Jama Connect, I thought, ‘I really need that,’” Pazos said.

Learn more about how Jama Connect helps teams improve medical device development.

Grifols Improves Risk Management and Speeds Development

Within two or three months, Grifols began working from a medical device pre-configured template within Jama Connect on a small, low-risk project to test its capabilities. Things went well and Grifols began implementing Jama Connect into more projects.

The immediate benefits the Diagnostic team saw from Jama Connect were how user-friendly and intuitive it is, while also keeping people in different time zones instantly in synch. The ability to comment and facilitate robust discussion within Jama Connect helps remote teams drive clear agreement on project items while also automatically building an audit trail for compliance.

And the results are also worth mentioning. Within months of onboarding Jama Connect, Grifols reported:

  • Savings of 80 hours or more per project
  • Review cycles reduced from three months to fewer than 30 days
  • Requirements linked to risks, tests, and executions for traceability
  • Improved communication and efficiency
  • Reduced rework

Read the full case study to see how Grifols was able to increase efficiency and cut costs by optimizing their requirements and risk management process with Jama Connect.

As medical device developers compete to push the boundaries on designing and building innovative, connected medical devices, the market continues to boom. It doesn’t look to be slowing down anytime soon, either. KPMG estimates that global annual sales of medical devices will rise by over 5 percent a year to reach nearly $800 billion by 2030.

Modern medical device makers are hyper focused on building innovative, connected solutions for the next generation of care. That continued innovation opens the door for new, lower cost technologies for early intervention and at-home care. But it also opens the door for more risk.

In the past, medical device software was generally used to control programs to simply switch the equipment on and off and display readings. Today, software and its functions dominate much of the features, making devices far more integrated, complex, and connected-and growing more so every year.

Growing Concern for the Security of Connected Medical Devices

While smart devices provide opportunities for instantaneous results and early medical intervention, connected medical devices are also more vulnerable to both deliberate attacks and undirected malware.

A survey released in October 2018 of 148 healthcare IT and security executives, conducted by Klas Research and the College of Healthcare Information Management Executives (CHIME), showed that an astonishing 18 percent of provider organizations had connected medical devices impacted by malware or ransomware in the last 18 months.

The threats against medical devices have become such a concern that two U.S. federal agencies recently announced a new initiative to address vulnerabilities. In October 2018, the U.S. Food and Drug Administration and the U.S. Department of Homeland Security (DHS) announced a memorandum of agreement to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in medical devices.

Read this case study to see how RBC Medical Innovations leveraged Jama Connect to unify processes and enhance traceability.

Modernizing Requirements Management to Reduce Risk

The reliance on connected medical devices isn’t going to ebb, and the increased complexity will only make the management and reporting of interconnected information across product definition and verification more difficult and inefficient. This inefficiency is only exacerbated by the use of document-based requirements management, which introduces more risk into the process.

To achieve better results with projects of mounting complexity, teams must get a stronger handle on their process and avoid gaps in development. A better solution for requirements traceability can do just that.

Traceability, normally a sub-discipline of requirements management, ensures that engineering design aligns with the identified needs of users and patients; manages scope by ensuring alignment between engineering work and actual user needs; confirms that device needs are addressed at all levels through gap analysis; and connects the design of the device directly to the verification.

Requirements Traceability is No Longer Optional

Small teams building simple products may be able to get by initially with spreadsheets, documents, and emails, but with the rise of software-driven, connected medical devices and increasing system complexity, requirements traceability quickly becomes too convoluted to be handled manually.

The reality is that the more complicated or distributed the product development process becomes, the more opportunities for error are introduced. Excel just can’t account for the wide array of risks and requirements involved in medical device development.

In fact, according to Stericycle’s Recall Index, software issues were consistently one of the top causes of medical device recalls through 2017 and 2018.

Learn how Jama can help you better manage risk with ISO 14971 by downloading our white paper.

Today’s medical devices are so much more than metal and plastic – they’re incredibly complex, connected devices that require complete hardware and software traceability.

Medical device development contains too many scope changes, remote team members and reviewers, and requirements to be easily managed in documents and emails. Using Excel or an internally developed requirements management solution or system diverts scarce resources and availability away from the important tasks of product development. Instead, team members have to focus on attempting to assemble and maintain traceability, usually resulting in the trace being hastily thrown together in the end for the design history file (DHF).

Traceability increases efficiency, drives alignment, and mitigates organizational risk. And with Jama Connect, teams can link and decompose high-level requirements to more detailed system and sub-system requirements, including associated risks and hazards, to ensure proper verification and validation before release.

Download our eBook, Conquering Connectivity, Competition and Compliance, to learn about the top three challenges that modern medical device makers face and how to overcome them.

With more public attention than ever being paid to the fast-moving, competitive, lucrative and sometimes life-altering world of medical device development, it sounds obvious to say that no company wants to experience a product recall.

And yet some professors from Harvard, Indiana and Georgetown universities have put a finer business point on the issue in a new report that analyzes 13 years of US Food and Drug Administration data.

“Product recalls slow many types of innovation for the firms that experience them,” Ariel D. Stern, an assistant professor of business administration at Harvard Business School and one of the authors of the report, told Harvard Business School Working Knowledge. “At the same time, we see that competitors are likely to accelerate their own innovation activities to take advantage of these weaknesses.”

The report, Recalls, Innovation, and Competitor Response: Evidence from Medical Device Firms, which was released in January, mainly follows two types of medical device innovation — incremental and major. As defined within the report, incremental innovation focuses on products that are more commonplace (such as catheters) that present limited risks and require less development time and resources. Conversely, major innovation (for instance, implantable cardiovascular devices) revolves around medical devices that are complex, costlier, involve higher risks and necessitate hefty development resources.

The effects of recalls differ depending on the innovation type, according to the report. With that said, here are some of its other key findings.

Medical Device Recalls Have Skyrocketed

From 2003-2015, the number of FDA regulated devices increased by 11 percent while the total number of recalls skyrocketed by almost 50 percent, according to the report. Couple that with the estimated cost of bringing a new device to market — between $31 and $94 million — along with the varying consequences of a recall such as rework, lawsuits, loss of reputation, and, of course, human harm, and the stakes become clear.

Medical Device Recalls Knock Teams Off Track by Six Months

A single recall can delay incremental innovation by over six months. That’s because a recall forces medical device development teams — specifically the functional experts — to shift focus away from improving the next release and instead submerge themselves in error analysis and correction. Aside from stunting product advancements, this scenario also drains significant revenue.

Competitors Capitalize on Medical Device Failures  

In the case of a severe recall of a product considered a major innovation, competitors of the impacted company actually increase the speed of their development process to take advantage. According to the report, even a single, major recall can accelerate a rival’s innovation by one month. And while 30 days may not seem like a lot of time, those four weeks have been estimated to equate to roughly $10 million in revenue.

The report does outline some recommendations for medical device companies to avoid recalls. Points of guidance include investing in competitor recall intelligence tools, so organizations can react quickly when a rival fails. Another tip is for medical device companies to create specialized recall recovery teams that can step in when necessary and stop the drain of resources on rework.

Of course, the best approach to product recalls is ensuring they don’t happen. And that’s why another key conclusion was to conduct recall prevention activities, according to the report, as these measures are “more important than previously suggested.” In fact, the report’s lessons could easily translate to a variety of other industries, according to one of the authors.

“Whether your firm is making phones or drones or self-driving cars, recalls can divert efforts from subsequent innovations and spur your competitors to take advantage of the market opportunity,” Stern told Harvard Business School Working Knowledge.

Learn how to build safer, stronger medical devices through mitigating risks and reducing the threats of rework and recalls with Jama Connect® and our Medical Device Services by downloading our guide.  


Systems thinking is an approach to solving complex problems by breaking their complexity down into manageable units so the system can be evaluated holistically and by each constituent part. This approach is critical to how we align Jama Connect™ to tackle the daunting complexity of medical device development.  

In our experience working with some of the market’s foremost medical innovators, we’ve seen that teams who embrace systems thinking are better-positioned to modernize and improve their product development processes. Jama Connect is informed by systems thinking and regulatory requirements, while its framework remains flexible enough to accommodate the unique needs of diverse development teams.

In this post, we’ll lay out how and why complex medical device development teams should be using systems thinking to streamline and strengthen processes, according to a recent webinar.  

Why Systems Thinking? 

Complex medical device development teams use systems thinking as a diagnostic tool: a disciplined approach to examining problems more completely and accurately before taking action. Systems thinking encourages teams to ask the right questions before assuming they know the answers.

A systems thinking approach opens up your team and organization to procedure-level improvements and the ability to take full advantage of solutions that support them. 

Even manufacturers developing complex systems that involve multiple disciplines and require the management of numerous subsystems may not be realizing the full value of systems thinking for managing design, collaboration and traceability across teams.  

Visibility and Collaboration 

With a systems thinking approach, teams developing complex medical devices can improve their processes by enhancing visibility and enabling more seamless collaboration and coordination between stakeholders.  

Complex medical device development requires that the right people have visibility into the relevant parts of the system, and a systems-thinking approach helps ensure that the right questions are being asked and addressed. 

Systems thinking also drives teams to coordinate and communicate through a common system need. Collaboration becomes easier and more effective when teams are free to find approaches within their disciplines that are most effective for them, while still meeting the needs of the system.  

Design History File, Verification and Traceability 

Systems thinking also gives teams better tools for managing complexity and change during the design process. With an applied systems approach, organizations can realize and resolve inefficiencies in their product development processes while producing the necessary outputs for the design history file (DHF). Jama Connect, designed to support systems thinking, aligns how your team works with the artifacts required for compliance and the DHF. 

If you’re following ISO 13485 and the FDA regulations for design control, for instance, you’re already driving toward a general systems approach. The regulations require the definition of user and patient needs and the tracing of engineering responses to those needs as design inputs. However, the regulations rightly leave room for manufacturers to define their own procedures, so long as the outcome demonstrates the relationship between the needs, the subsequent design inputs and the resulting design outputs and verifications.  

Applying a systems approach to how you work means that the value of understanding the interrelatedness of the design requirements doesn’t just live in the trace matrix document. This value is realized when you can visualize and interact with the trace during your design definition activities and beyond. The trace must be maintained throughout the design process to be helpful. Thus, the matrix you need for your DHF becomes a byproduct of how you work, not something you stitched together at the end of the design stage when you needed that documentation.  

The same can be said for your design input files and other artifacts: They’re most valuable when they are considered as byproducts of how you work.  

Additionally, verification and quality teams can leverage systems thinking to assess and define verification activities for the system even as other teams explore their responses to the system needs. 

Since lower-level requirements and outputs are defined within the context of a specific system need, traceability allows teams to understand that context and the downstream impacts of any change made.  

Customized Solutions for Medical Device Developers 

Our professional services team has also established a recommended framework for Jama Connect via our Medical Device Services. This framework, informed by systems thinking, guides regulatory compliance while remaining flexible enough to accommodate the diverse needs of teams and organizations.  

In this framework, the need for documentation informs rather than constrains, and it isn’t at odds with your drive to improve your process or the solutions you deploy to realize those improvements.  

Stay tuned for more posts about improving medical device development and the integral role Jama Software is playing for its customers. In the meantime, get a deeper dive into how Jama Connect helps developers balance medical device compliance and innovation by watching our webinar.

With the rising amount of connected devices in circulation, the number of potential targets for hackers and other cyber criminals to exploit continues to rise. Among the most common targets for attack: medical devices.

A survey released in October of 148 healthcare IT and security executives, conducted by Klas Research and the College of Healthcare Information Management Executives (CHIME), showed that an astonishing 18% of provider organizations had medical devices impacted by malware or ransomware in the last 18 months.

Medical devices were defined in the report as “biomedical devices used by healthcare-delivery organizations in the pursuit of patient care.”

The report also stated that only 39% of the respondents were “very confident or confident that their current strategy protects patient safety and prevents disruptions in care.”

Although organizations are making gains in developing and maturing their overall security programs, the report says, progress has been slow. This is particularly true when it comes to securing medical devices, the study shows. Unsurprisingly, respondents cited patient safety as their top concern with unsecured medical devices.

“Unsecured and poorly secured medical devices put patients at risk of harm if those devices are hacked,” said Russell Branzell, president and CEO of CHIME, in a press release about the report. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected.”

Adam Gale, president of Klas, also weighed in on the findings: “Safeguarding medical devices requires a joint effort by provider organizations and device manufacturers. Many providers have the basic building blocks for a general security program in place and are making progress.”

A large majority of the survey respondents (96%) identified manufacturer-related factors as a root cause of medical device security issues. The majority of respondents also reported struggles related to out-of-date operating systems or the inability to patch devices, which have been found to be major security risks. The study also discovered that, on average, one third of medical device manufacturers have said their devices cannot be patched.

“Medical device security is a three-way relationship between provider organizations, the manufacturers, and the regulators,” said Dan Czech, director of market analysis-cybersecurity at Klas, in the announcement about the findings.

Provider organizations can follow industry-accepted best practices such as network segmentation, Czech said. “Manufacturers can include security in the design of all products going forward and can consistently patch currently offered medical devices,” he said. “Regulators can provide incentives and disincentives for manufacturers and organizations to secure their devices and can offer the needed guidance to direct the healthcare industry.”

The threats against medical devices have become such a concern that two U.S. federal agencies recently announced a new initiative to address vulnerabilities. In October 2018, the U.S. Food and Drug Administration and the U.S. Department of Homeland Security (DHS) announced a memorandum of agreement to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in medical devices.

“As innovation in medical devices advances and more of them are connected to hospital networks or to other devices, making sure the devices are adequately protected against intrusions is paramount to protecting patients,” said Scott Gottlieb, FDA commissioner, in the memorandum announcement.

The partnership between the two agencies will enable them to share information about the constantly evolving threats against medical devices and help organizations in the healthcare industry proactively respond when vulnerabilities are identified.

This isn’t the first time the two agencies have collaborated on medical device security. In recent years they have been focused on the coordination of vulnerability disclosures. The partnership allows device manufacturers to receive technical information from cybersecurity researchers regarding identified vulnerabilities in their products so they can respond to potential threats in a timely way.

Author Bob Violino is a freelance writer who covers a variety of technology and business topics.

The rapid pace of medical innovation has increased the need for medical device companies to incorporate software and new technologies into their products to keep up with market demand.

As medical device manufacturers have adapted their products to incorporate software, tech companies have also seen the market opportunity and entered the medical device landscape.

These developments have led to changes in the FDA’s regulatory processes. For example, the proposed creation of a “Center of Excellence for Digital Health (CoE)” would modernize the FDA’s regulatory approach to meeting the needs of the growing digital health market.

Whether you’re an established medical device company or a new player, every stakeholder faces numerous challenges to keep up with the pace of the market while delivering compliant products that ensure patient safety.

Complexity and Connectivity are on the Rise

In the past, medical device software was generally used to display readings and manually turn equipment on and off. Complexity in requirements and customer needs, however, has made medical device software far more complex.

As with consumer electronics, patients and healthcare professionals expect today’s medical devices to be better, faster, safer and cheaper than their predecessors.

While these market drivers create new, exciting opportunities to innovate, they also carry inherent complexity and risk.

Small teams building simple products can get by with spreadsheets, documents and emails to track product requirements, testing and risk. However, with larger, more distributed teams and the rise of software-driven medical devices, traceability quickly becomes too convoluted to be handled manually: There are far too many scope changes, remote team members, reviewers and requirements.

By automating traceability into a live system of record, medical device developers can establish consistent, accurate links throughout each step of the development process.

In Jama Connect, you can create relationships to link everything together and map out interdependencies among different items and decision makers.

Automating traceability not only organizes your product development process; it also saves time and gives you confidence in your compliance.

New Entrants into the Medical Device Market

On the flip side of traditional medical device organizations incorporating more sophisticated software into their releases, some of the world’s biggest tech companies are increasingly incorporating health data and functionality into their products.

Big tech healthcare is a rapidly growing segment. In fact, major tech companies have participated in 27 rounds of healthcare financing within the first eight months of 2018, equal to the total amount of rounds in 2014 alone, according to a CB Insights research brief.

Look no further than Apple’s Watch Series 4, which recently received a Class II De Novo clearance from the FDA for both its electrocardiogram (EKG) and notification of irregular heart rhythm clearances. While the letters clearly stated the watches were “not intended to replace traditional methods of diagnosis or treatment,” solutions like these are changing the way consumer electronics companies like Apple think about and develop products.

Compliance today requires a deep level of organization, document and information management, and detailed communications previously unseen in either the medical device or tech industries. This introduces new risks for tech companies with non-traditional FDA regulated backgrounds and creates fresh challenges for the FDA’s evaluation of each software solution.

The good news is being a new entrant into the healthcare market doesn’t automatically put you at a disadvantage. And you shouldn’t have to start from scratch when trying to create a process that satisfies FDA auditors.

Jama Software can help you get up and running quickly with Jama Connect and our Medical Device Services, based on a process tightly aligned to governing regulations ISO13485:2016 & 21 CFR 820.30. The approach is designed to accelerate time to value from Jama Connect and give teams confidence that the products they are developing adhere to FDA and ISO regulations.

Accelerate Medical Device Development While Reducing Risk Now

Despite these changes in the digital healthcare market, the goal remains the same: release high-quality, market-driven products that ensure patient safety.

While the changes and regulations can be overwhelming for new entrants into the market, creating a streamlined development process that balances innovation and compliance is a solid starting point that will only lead to greater product success.

Software and hardware teams need to collaborate now more than ever to produce an innovative product that complies with FDA regulations and gets you that 510k clearance letter faster.

Jama Software guides cross-functional medical device teams through the development of their Class II and Class III medical devices.

Every day, our powerful platform helps hundreds of customers manage device requirements, risks and testing. Our tailored services allow our customers to focus more on innovation and less time navigating compliance. ​

Learn more by registering for our expert-led webinar specifically designed for medical device product and engineering teams, “Balancing Compliance & Innovation in the Medical Device Industry.”

Any cybersecurity expert will tell you that it’s not a matter of if you will be hacked, but when. Healthcare organizations across the country are quickly learning the truth about that axiom.

According to the most recent IBM X-Force Cyber Security Intelligence Index, healthcare tops the list of most cyber-attacked industries. And, according to Rapid7’s threat report for the first quarter of 2018, healthcare beats out industries such as finance, retail, and construction as the top targeted by hackers.

As we work through the second quarter of this year, already multiple hospitals have been affected by the ransomware SamSam. Then there’s the Orangeworm attack group that’s targeting different facets of the healthcare industry worldwide.

According to HealthITSecurity.com, hackers are increasingly targeting the healthcare industry because of its distributed IT infrastructure (which utilizes a combination of legacy systems and medical devices), constantly available systems, and the amount of sensitive data so many organizations hold.

The average cost of a cyber attack is $5 million, according to the Ponemon Institute, and can be much higher for larger organizations. Erie County Medical Center in Buffalo, NY reported the total costs associated with just one ransomware attack last year added up to more than $10 million.

Healthcare Security Risks

While healthcare IT professionals have been focusing on protecting things like servers and networks, many are learning quickly that certain types of medical devices can also provide hackers a backdoor into systems.

Additionally, despite FDA guidance, hospitals are still struggling with protecting these vulnerable targets. And points of exposure might not always be fully apparent.

As Symantec notes about the Orangeworm threat, for instance, some of the tactics being used by the perpetrators to gain access to software used to equipment like X-Ray and MRI machines are fairly dated. The reason the efforts can still be effective is because of older operating systems.

So, theoretically, even if a medical device is boasting state-of-the-art security, if it’s placed in an environment utilizing legacy software and dated operating systems, such as Windows XP, that can introduce risk.

While this may be disheartening to device manufacturers prioritizing security, they should still do what is necessary to protect their products against an attack, and assume the provider will follow safety protocols accordingly.

However, this could be considered a silo approach to cybersecurity, and the threats to medical devices really call for a strong eye on security throughout design, development and deployment.

Healthcare Information and Management Systems Society (HIMSS) is one example of an organization that wants to tear down those silos, calling for a holistic approach to cybersecurity. In its Cybersecurity Position Statement, HIMSS defines that approach:

“HIMSS calls on the healthcare community at-large to work together, and with cyber experts from other sectors, to achieve a future state in which all are prepared to defend against increasingly sophisticated and numerous cyber-attacks… Through cooperation and focused efforts, we can overcome policy, cultural and financial roadblocks, and other barriers that inhibit the development of cyber solutions that work.”

Building Cybersecurity into Product Development

Cybersecurity collaboration must be built into project frameworks that extend throughout the product’s lifecycle.

And speaking of framework, you should take some time to get familiar with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, or as it is thankfully referred to more commonly — “the Framework.”

The Framework is part guide and part reference manual for outside resources that can provide more detail on strengthening security. One of the advantages the Framework offers is that it gets everyone speaking the same language, which is essential if the HIMSS holistic approach takes off.

And it’s not just nice to have everyone on the same page. If you plan on doing business with the government, you’re going to have to show you follow the Framework. Healthcare industry CIOs are very familiar with it, and they are beginning to require vendors to adhere to it. You can expect more will follow.

If this all seems overwhelming and you’re not sure where to begin incorporating it into your product plans, here’s the good news. The NIST Framework was a joint effort between government and industry. One of the industry players was Intel. Soon after the first Framework was delivered, Intel launched a pilot project to test the Framework’s use. They documented the entire project and published a document serving as a use case.

Adding Value Through Education

Medical device manufacturers that take a holistic approach to cybersecurity into their projects will have an advantage to companies that do not. While many hospitals are doing a better job, physician practices still need a lot of help.

According to a survey conducted by the AMA and Accenture, 83% of 1,300 physician practices surveyed already have experienced a cyber attack. While more than half of the physicians surveyed said they were very or extremely concerned about attacks, nowhere in the survey did they directly mention medical devices.

This omission could indicate a lack of understanding on the part of the survey creators, or perhaps it shows that doctors are unaware of the fact that devices — when connected through wireless networks and aging legacy systems — could be the source of a breach.

In any case, you can bet the threats to medical devices are only going to grow more sophisticated and numerous as time passes. Those medical device companies who fail to act will gradually become larger targets for criminals. The faster security is prioritized throughout development of medical devices, and everyone in the industry gets on the same page about security, the better chance we’ll have at staving off the threats of tomorrow.

Author Traci Browne is a freelance writer focusing on technology and products. 

It’s been almost eight years since 4G technology found its way to U.S. cellular carriers. Now, its successor, 5G (short for fifth-generation wireless technology), is set to be a game changer in industries as wide-ranging as autonomous vehicles, medical devices, voice-controlled home assistants and robotics.

Far more than just a faster version of the 4G standard, 5G — which was just released out of the experimental phase last month — promises to support significantly more mobile devices at a time without slowing network speeds and offering lower latency.

As of now, 5G is slated be rolled out on select U.S. cellular networks as early as this year. And its increased usage could provide developers and designers with much more reliable connectivity than is available using today’s protocols, which could lead to some incredible things.

5G and Driverless Cars

This means real-time computations can lean on cloud-based services to handle the added informational workload, which could give existing artificial intelligence software and hardware a big boost of smarts and capabilities.

An autonomous vehicle equipped with 5G, for instance, could exchange small amounts of data with the cloud on a continuous basis, and run comparisons with other cars to determine how to handle certain situations at any given time. Gradually, as 5G connectivity blankets roadways and buildings, connected vehicles will be in constant communication with the world around them.

This would unify the map-updating process among all connected cars, bringing together their shared data and putting it to use for the greater intelligence of the group.

Perhaps most exciting from a driver’s point of view, 5G could enable inter-vehicle communication to enable cars to more efficiently navigate obstacles like traffic lights.

Medical Devices and 5G

Healthcare is another area where 5G is predicted to contribute greatly in a spectrum of services. According to Qualcomm.com, among the areas expected to benefit the most are Internet of Medical Things (IoMT) and Enhanced Mobile Broadband (eMBB).

For instance, more connected medical devices, such as health-monitoring wearables, will be used to monitor patients. With enough collected data, doctors could rely on predictive analytics to make more accurate diagnoses.

5G is also slated to help bolster eMBB, which would, in turn, bolster everything from live video streaming to virtual and augmented reality. Currently, proper VR systems are dependent on wearable headsets and high-powered computers (or computer backpacks).

With 5G, lightweight mobile solutions are imminently more possible, allowing for a greater immersive experience without the lag that’s notorious for causing nausea among users in the current generation of VR technology. This would dramatically improve scenarios where doctors are treating patients in remote locations, for instance, as well as with medical training.

5G Connected Homes

Unlike previous cellular networks reliant on large towers, 5G is likely to be comprised of networked devices as small as home networking routers, according to PC Mag.

Qualcomm says 5G will improve capacity four times over that of existing systems by harnessing wider bandwidths and cutting-edge antenna technology.

The possibilities for 5G go beyond cellular connectivity, and many carriers are eying it for home use as well. Verizon plans to roll out fixed 5G home internet service in a few test cities in 2018. Current 4G capability was never a viable home internet solution because the network simply lacks the capacity for the kind of data that would be flowing through a home-based system.

It’s also considerably easier to kit out a home with 5G. Internet service providers would simply install fiber optics to cell sites every few blocks, and provide customers with wireless modems that connect to the system, according to PC Mag. This is much more efficient than the current method of digging up each and every street to lay new fiber optic cables.

5G represents a multi-generational leap in internet connectivity, and before long will bring nascent technologies firmly into maturity right alongside it. Given how quickly the IoT market is growing, 5G is likely to usher in a wave of new technologies and near-instant upgrades to existing ones.

Learn how a variety of companies are navigating the rapid shifts of developing connected products with the report, “Bridging the Gap in Digital Product Design.”

Once your team uses traceability for medical device development, you’ll wonder how you managed any other way.

Building traceability into the process is a critical step to ensure regulatory needs are met, requirements hit and changes managed along the way.

When brought to market, the margin of error for medical devices is near zero. Any defects not discovered and corrected during development can result in patient injury or death, not to mention devastating legal consequences for the company that released the product. With the stakes so high, every step of the development process must be traceable.

Traceability ensures a collaborative and unified timeline from conception to market, meticulously documenting everything in between. It also allows stakeholders to continually monitor timelines, and view how changes affect the team and the necessary response needed.

In essence, traceability lets teams map out interdependencies at each phase of development, ensure all compliance regulations are continually met and changes conform accordingly.

A Unified System of Record for Medical Devices

Heavily regulated products like medical devices require comprehensive audit trails of changes during development.

Traceability enables teams to view and analyze all changes made during development — including who made the change, what it was, when it was made and why it occurred in the first place. Since a traceable development project is kept in a unified system of record, it allows you to revert back to an earlier version of the changes.

Traceability also saves time and effort by communicating requirement modifications directly to the relevant group or individuals responsible in real-time, instead of forcing various team members to pore over the spec to determine if the latest change affects them.

Streamlining Communication for Medical Devices

Collaboration has become a central component of product development teams, and it’s the core of modern traceability.

Bringing all stakeholders together ensures compliance as well as productivity. With everyone on the same page, any potential questions an auditor could raise about process or a development decision can be easily answered. Traceability also makes a product lifecycle and its surrounding processes a living, ongoing entity as opposed to an afterthought. This is vital with the increasing complexity of today’s market.

Bringing Globally Distributed Teams Together

Multidiscipline teams working with different processes and systems must be able to see and understand what their fellow collaborators are doing.

This is especially true in complex spaces like medical device development, and traceability lets remote teams move faster and work together in a more cohesive way. This empowers them to independently make important decisions, based on correct and current data.

Anyone pulled into the conversation during development can be quickly brought up to speed without impeding on the momentum teams have already built.

Adopting Traceability for Medical Devices

Today’s medical devices are so much more than metal and plastic. Software plays a big part in communicating data to patients and doctors. This means the software component must be as traceable as the hardware, since a single instance of incorrect code can become a major liability.

All risk must be considered throughout the product design and implementation. Proper traceability establishes consistent, accurate links between each step of work to ensure the framework protects the user and organization.

Traceability isn’t just about information tracking, it’s about being able to call up that data in the correct format to share with customers and auditors. With Jama, you can track your design and verification within the solution.

Some of our customers complete their risk management analysis around why specific severity was assigned or why a mitigation was applied in a certain way. A single spot for modern traceability around the product you’re developing makes it simple to find the information you need about why decisions were made, as well as understanding their upstream and downstream impacts.

Learn how Jama uses live traceability to let medical device developers locate the source of any decision, manage risk and reference similar past projects in our webinar, “Live Traceability: The Golden Key to Proof of Compliance.”