Very good article addressing medical devices and the certification processes...they are not bullet proof as this is work in progress, although we would love nothing better than to have this guarantee, but the fact of the matter is it simply is not there...reality set in...and the device makers are working on getting up to par with having the devices function with security on a network...thus anymore it's no longer just a device game, it's the entire big picture that needs to be assessed...no longer can they rely on the integrators to do the job 100% with security...team effort...thus every medical device company today might entertain the idea of some additional technology partners...some and 
many have already ventured in this area...but this will always be work in progress to some extent as long as we live with hackers and the potential for security breaches...but the stakes are much higher today with human lives and not just financial reports relying on this technology...The FDA is certainly no where near the capability of approving a "software patch" to guarantee safety...their focus has been on the medicinal side of things but as times change this is also something else that encroaches into being able to approve for patient safety...technology....pharma, biotech, and technology all need to come together under one common goal....and with the fractured entities and confusion that exists today....it's a challenge and there's no room for blame shifting as everything that is done today has an audit trail along with a growing demand for transparency...BD
As is the case with other information systems, medical devices are not expected to be bulletproof to receive approval. “We have to balance the need for security of these devices and network segments against the need for the real-time and free flow of clinical information so clinicians can make clinical decisions,” Richardson said.
To complicate the situation, many medical device manufacturers are not savvy about information assurance and network security. “Historically, medical device manufacturers have not seen themselves as information systems companies,” Richardson said. “Building cybersecurity into their software is new for them. So this has been a learning process for the government and for industry alike.”
Given that history, it is not surprising that manufacturers were initially reluctant to subject their products to the kind of information assurance processes DOD demanded.
“Up until the last few years, it was tough to get vendors to buy into this process,” Wren said. “From their standpoint, DOD was a small fraction of their business. Their commercial customers were not requiring all of this security. Their attitude was, ‘If you don’t want us, go find someone else.’”On the other hand, medical equipment presents some unique information assurance challenges. “These devices are also subject to regulation by the Food and Drug Administration,” Wren said. “Because of that, you can’t make changes to systems through patches or otherwise without FDA approval.… If someone puts a patch on a CT scanner, for example, it could change the parameters of how the scanner works and cause injury to the patient. The fix needs to be tested and approved before it is put on the system, and that takes time.”
0 comments :
Post a Comment