In September 2023 the US Food and Drug Administration (FDA) issued industry guidance on cybersecurity for medical devices to better protect patients, hospitals, and the broader healthcare system from cyber-attacks. Medical device and in vitro diagnostic (IVD) manufacturers will be required to implement significant changes to Design Control and Quality Management practices and procedures to comply with the new regulations. The FDA guidance is a result of years of study and a well-documented increase in malicious attacks on hospitals and other healthcare distribution centers. Indeed, ransomware attacks are now commonplace among hospital systems (large and small) with heavy financial and even patient care consequences. Healthcare distribution systems are unique in their vulnerability to cyber-attacks due to a history of prioritizing patient care and patient outcomes over cybersecurity threats and a reliance on a vast array of tools and devices to manage care.
The Intersection of Cybersecurity and Medical Devices
The past fifteen years have seen remarkable increases in software-enabled smart medical devices and a shift towards an Internet of Things (IoT) healthcare distribution architecture. These trends are responses to strong market demand for smart devices’ benefits, including wider patient access, more effective use of data, better patient experiences, and better patient outcomes. However, these benefits carry increased risks of malicious attacks on healthcare organizations by criminals who exploit vulnerable devices to target individual patient medical records, disrupt operations, ransom data, or enter networks through backdoors to move freely throughout an enterprise. Manufacturers of medical devices must do their part to remedy a situation that is increasing in frequency and severity by improving the quality of their products.
FDA’s Cybersecurity Guidance for Medical Device Manufacturers
The impacts of the FDA’s cybersecurity guidance are only now being appreciated. The scope of the regulations is broad and includes all device software that stores, transfers or analyzes data. Therefore, any medical or diagnostic device with upgradeable software, a USB port, or even compact disc technology is now considered a connected device and is subject to updated regulations. It is important to understand that as of September 2023 any company, whether a startup or a Fortune 500 medical device or IVD manufacturer, developing devices and technology for FDA-regulated markets must update their product development procedures to address the new standards. This means medical device and IVD developers must now add resources and effort to quality management and design controls. It is also significant that the new guidance encompasses not only modern wirelessly connected and IoT technology but also the huge toolbox of existing products already in hospitals. The impacts of this reality could be even more substantial. They will play out as the industry faces balancing legacy technology’s security risks and upgrading systems’ costs.
The Guidance reflects FDA’s recommendations for information to be included in premarket submissions for Basic and Enhanced Documentation Levels. This recommended information should demonstrate that planning, requirements, risk assessment, design reviews, traceability, change management, testing plans and results, and other aspects of good software engineering for device software functions were employed, to support a conclusion that the device software function was appropriately designed, verified, and validated
FDA, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
What Changed at Triple Ring?
In preparation for meeting the design requirements implied by the new medical device cybersecurity rules, Triple Ring’s Quality, Systems Engineering, and Software Engineering teams have completed training on the guidance, have updated quality management processes, and have begun implementing device designs and documentation that will support successful FDA submissions for our clients. The new practices augment a robust and comprehensive quality management system by adding a threat modeling methodology called STRIDE. We have implemented the STRIDE methodology to systematically assess vulnerabilities and mitigate threats throughout the device design lifecycle. We follow a structured process, outlined below, for all our client projects requiring FDA submissions.
Figure: STRIDE framework for assessing, mitigating, and designing devices resistant to cybersecurity attacks.
STRIDE Process
- Identify and document device design elements requiring protection: The use of data flow diagrams (DFD) in parallel with the product architecture allows Triple Ring to decompose any device design to help the FDA understand key elements within the design, core functionality, external connections and how information flows through the device. From software, firmware, and embedded code to wireless communication, and data transfer hardware, the subsystems and components that require threat protection are cataloged in data flow tables.
- Analyze each element using STRIDE methodology: At the subsystem and component level, we analyze the device design for potential vulnerabilities using STRIDE.
- Document potential vulnerabilities and threats: We fully characterize device designs for each STRIDE category and document our findings in detail. By defining the ecosystem and system DFDs, the product can be used to identify assets that threat actors may utilize to probe at vulnerabilities of the product. Triple Ring is well-versed in defining asset and data flow tables in combination with security use cases to analyze the ecosystem and interactions with the device to identify threat events that may occur from element to element.
- Rank the likelihood and impact of threats, and develop mitigations: We then go through a process of identifying threats in accordance with the AAMI TIR-57 Security Risk Process. We quantify the likelihood and severity of each threat using FMEA tools (e.g. decision matrices), prioritize threats according to likelihood and severity, and then identify and develop mitigation strategies (e.g. encryption, access controls, or input validation).
- Test, verify, and iterate: Triple Ring uses the generalized System Science approach to engineering development, which prescribes an iterative process for analyzing, specifying, designing, building, and testing. Gaps identified in our threat modeling analyses are used as inputs for further iterations of the device design and mitigation-specific vulnerabilities.
- Include threat assessment in all FDA submissions: We then include all findings in regulatory documentation and ultimately in the device Design History File (DHF). FDA now requires cybersecurity threat assessments in most medical device and IVD submissions. Clear identification, understanding, characterization, and mitigation of threats will be essential to successful submissions.
The Future of Medical Devices and Diagnostics
The future of the medical device and diagnostics industries is tied to smarter and more connected products. To date, these products have demonstrated clear benefits to patients, hospitals, and manufacturers and will continue to improve healthcare distribution and access. Cybersecurity threats posed by medical devices are well documented and will worsen without modernizing device design and quality management processes. As a result, device manufacturers will increasingly be required to mitigate these risks in the products they sell.
To learn more about FDA’s medical device cybersecurity guidance and its impact on your product development plans, please connect with us to start a conversation. Triple Ring has 20 years of experience designing and developing cutting-edge medical technology and a long track record of supporting successful 510(k) clearances and premarket approvals (PMA). We are eager to help you navigate the changes resulting from this FDA guidance.
FAQs
What are the new FDA guidelines for medical device cybersecurity?
FDA’s guidance on Cybersecurity in Medical Devices adds Secure Product Development Frameworks (SPDF) to the risk management processes required of device manufacturers. Risk management is the essential systematic practice of identifying, analyzing, evaluating, controlling, and monitoring risk (now including cybersecurity risk) throughout the product lifecycle. The guidance also describes recommendations regarding the cybersecurity information to be submitted for devices under 510k, PMA, and other submissions.
What does the new FDA guidance on medical device cybersecurity mean for me?
All software-enabled medical devices or in vitro diagnostics featuring connectivity (wireless, local area network, Internet), or portable media (USB or CD) are subject to additional regulatory standards and design controls. If your medical device product fits the above description, you will face additional development effort and development costs to meet the new cybersecurity standards.
How do I design medical devices and IVDs for the new FDA guidance on medical device cybersecurity?
To meet FDA Cybersecurity in Medical Devices guidelines you will need to add Secure Product Development Frameworks (SPDF) like STRIDE to your risk management process. In all of your regulatory submissions, you will also need to address specific elements described in the FDA’s guidance document. Medical Device Engineering consultancies, like Triple Ring Technologies, can help you with these processes.
How does the FDA define connected medical devices?
FDA’s guidance can be interpreted as any device with cybersecurity considerations, including but not limited to devices that have a device software function or that contain software (including firmware) or programmable logic. The guidance also includes devices that are network-enabled or contain other connected capabilities.
Is my medical device product a connected device as defined by the FDA?
The answer is yes if your device contains software, firmware, or programmable logic. Also included are devices that are network-enabled or contain other connected capabilities. Examples of connected devices are MRI systems connected to an internal hospital network, in vitro diagnostics with wireless communications, or implantable devices that can be programmed remotely. Examples of devices that are not connected include orthopedic screws, tongue depressors, and bedpans.
Congratulations to our Agility Labs member, CytoTronics, on closing $9.25 Million in seed funding, led by Anzu Partners with participation from Milad Alucozai (BoxOne Ventures) and institutional investors, to revolutionize drug discovery and phenotypic screening. Triple Ring is proud to be a part of the journey to provide the facility, technology, and mentorship support to CytoTronics from the very beginning. If you are interested in learning about CytoTronics and its complementary metal-oxide-semiconductor (CMOS)-powered drug discovery platform, please visit https://cytotronics.com/. If you are looking for a lab space to launch your innovative business, Agility Labs offers a flexible incubator for emerging life sciences, medical device, and technology companies in Silicon Valley and Boston. For more information, please visit our website at https://www.agilitylabs.org/ or email your inquiries to info@tripleringtech.com.
One Health Group and Triple Ring Technologies Partnership and Investment
SYRACUSE, NY, UNITED STATES, February 1, 2022 /EINPresswire.com/ — One Health Group, specializing in remote medical diagnostics for animal health, and Triple Ring Technologies announce that Triple Ring will serve as a technology partner, leading One Health Group’s product development effort, and providing the science and engineering team. Additionally, Triple Ring will make an investment in the One Health Group.
“Our technology partnership with Triple Ring will enable us to much more quickly bring our patented mobile health monitoring technology to market, and will support our goals as we build on our noncontact intelligent biometric sensing Voyce platform, bringing new, innovative physiological monitoring capabilities to support in-situ and real-time animal health care”, stated Al DiRienzo, CEO and Co-Founder of One Health Group.
One Health Group’s Voyce is the first non-invasive, remote digital device with patented algorithms that accurately monitors biometric data for better interventions in animal care. One Health Group’s technology is a huge leap forward for interconnectivity between animal, human and environmental impacts on health. OHG has partnered with world-leading academic institutions and prestigious medical technology companies to continue to build on its biometric monitoring platform to provide health diagnostics globally.
“Triple Ring is pleased to partner with One Health Group to develop the next version of their exciting platform for next-generation remote animal health monitoring. We believe in One Health Group and are taking a stake in the company, showing our support for their technology and the potential for the Voyce platform”, added Joe Heanue, CEO of Triple Ring Technologies.
About One Health Group: One Health Group (OHG) is a medical technology innovator with a mission to bring breakthrough health diagnostics, therapeutics, monitoring, screening, and advanced analytics to market. Driven by seeking solutions to preventing needless animal and human illnesses, often attributable by a lack of health data, OHG has developed a patented mobile health assessment technology that uses intelligent sensors and artificial intelligence to provide personalized, context-based real-time health information. OHG’s goal is to provide a unique health platform that integrates animal, human, and environmental data, which are intrinsically linked. For more information, please visit www.onehealthgroup.com.
About Triple Ring Technologies: Triple Ring Technologies is a co-development company headquartered in Silicon Valley, with offices in Boston, Toronto, and Copenhagen. They partner with clients in medtech, life sciences, and sustainability & the environment to create new technologies, launch innovative projects, and start new ventures. Their capabilities span early R&D, product development, manufacturing, regulatory approval, market access, strategic investment, and incubation. For more information, please visit www.tripleringtech.com.
To read the full press release, please click here.
FDA issues long-awaited draft software guidance in overhaul of 16-year-old policy, recommending documentation to include in premarket submissions for medical devices that use software. What’s changed in the Draft Guidance for Content of Premarket Submissions for Device Software Functions? Pooja Kartik, Triple Ring’s VP Quality & Regulatory, emphasizes the three new definitions of Device Software Function, Software as a Medical Device (SaMD), Software in a Medical Device (SiMD) and does comparisons between 2005 Guidance with 2021 Draft-Enhanced version in the recent software article she compiled. If you are interested in learning more about the major changes in the draft guidance and how this might affect your business, please click here to read the full article.
Triple Ring Technologies and Woods Hole Oceanographic Institution (WHOI) are collaborating to fill an unmet need in environmental sensing – providing a fieldable, portable microplastic sensor that quantifies the number of plastic particles in water. A comprehensive understanding of microplastic pollution is significantly hampered by the unavailability of low-cost, robust, accurate, and rapid analysis techniques. There is an urgent need for such measurement information, to inform the public and policy makers, and toward developing and managing effective mitigation strategies for plastic pollution in the world’s water bodies. With readout available in minutes, the sensor will ensure that field sampling time is maximally productive while also usable in a lab environment to significantly speed up sample testing.
The core technology was developed at WHOI in the laboratory of Dr. Anna Michel, Associate Scientist, Department of Applied Ocean Physics and Engineering, with doctoral student Beckett Colson. Developing the proof-of-concept into a rugged, fieldable unit is being performed by Triple Ring Technologies under the leadership of Dr. Sheila Hemami, Sr. Director of Growth Initiatives. To further develop the technology, Triple Ring Technologies has been awarded an SBIR Phase I grant by the Environmental Protection Agency entitled “A fieldable, portable, reagent-free microplastic sensor enabling rapid readout and modular operation” and will work with WHOI to execute the grant.
Drs. Hemami and Michel believe that this new tool will allow easy, widespread assessment of microplastic pollution in waterways, wastewater, stormwater, and other applications in which the presence of microplastics is a concern. “Combining WHOI’s core sensing technology with Triple Ring’s experience in delivering integrated products will significantly move the needle on the understanding of microplastic pollution and will drive data-based mitigation solutions,” said Dr. Hemami.
Dr. Michel added “My lab is especially interested in developing technologies that enable us to robustly count the number of microplastics in drinking water, ponds, lakes, and oceans. We need field-deployable sensors that provide us this information in order for us to understand microplastic pollution.”
About Triple Ring Technologies
Triple Ring Technologies is a co-development company headquartered in Silicon Valley, with offices in Boston, Toronto, and Copenhagen. They partner with clients in medtech, life sciences, and sustainability & the environment to create new technologies, launch innovative projects, and start new ventures. Their capabilities span early R&D, product development, manufacturing, regulatory approval, market access, strategic investment, and incubation. For more information, please visit www.tripleringtech.com.
About Woods Hole Oceanographic Institution
The Woods Hole Oceanographic Institution (WHOI) is a private, non-profit organization on Cape Cod, Massachusetts, dedicated to marine research, engineering, and higher education. WHOI’s pioneering discoveries stem from an ideal combination of science and engineering. WHOI is known for its multidisciplinary approach, superior ship operations, and unparalleled deep-sea robotics capabilities. For more information, please visit www.whoi.edu.
To read the full press release, please click here.
Triple Ring is thrilled to announce that we have been awarded an SBIR Phase I grant by the Environmental Protection Agency entitled A fieldable, portable, reagent-free microplastic sensor enabling rapid readout and modular operation. This project is led by our Senior Director for Growth Initiatives, Dr. Sheila Hemami.
We are excited to be applying our deep technical and scientific expertise in support of our commitment to sustainability and the environment.
Triple Ring will take part in the upcoming virtual 2021 European Medical Device and Diagnostic Product Development and Product Management conference, where our experts will be hosting round table discussions on project risk management and prototype development.
Learn more about the virtual conference at their website.
Triple Ring is taking part in tonight’s US-Japan Healthcare Connection Virtual Conference, “The Coming Revolution in Healthcare”, beginning at 4:30PM PST.
The conference presents the latest developments underlying this transformation, with particular focus on “Hospitals at Home” and remote patient monitoring.
The US-Japan Healthcare Connection is a strategic alliance between the Japan Society of Northern California and US-Japan Medtech Frontiers.
Learn more at US-Japan Healthcare ConnectionUS-Japan Healthcare Connection
Kenneth Gotlieb, Ph.D., Senior Scientist from Triple Ring’s Photonics, Imaging, and X-Ray (PIX) team will be presenting the talk, “Industry R&D: Using Physics to Prototype New Medical Devices and Other Emerging Technologies”, on Tuesday March 16, at the American Physical Society’s March Meeting, in a session called “What Do Early-Career Physicists Do? A Diversity of Career Options.” His talk will highlight how much one can learn working at a place like Triple Ring, applying physics training to work on a whole range of new technologies.
Learn more at APS March Meeting
Scientists from Triple Ring’s Photonics, Imaging, and X-Ray (PIX) team have authored the paper, “An integrated Monte Carlo tissue optics simulation engine with Zemax OpticStudio for complete instrumentation development.”
The team has formed a method to combine specialized tissue simulation models with Zemax OpticStudio, and illustrate their approach with two case studies: a pulse oximetry sensor and a device to perform fluorescence guided surgery.