Key steps to advance medical device information security and privacy
The medical device industry continues to evolve and adapt to new regulatory standards. In this interview, Patrick Reichmann, Quality Assurance and Regulatory Affairs Manager at Agfa Healthcare, shares his view on how to address the key regulatory challenges in the industry. He also offers advice on how to meet the ISO 27000 standards and why legacy devices will be a growing security concern in the coming years.
Pharma IQ: What are the main challenges being faced by companies in regulatory affairs? And how can these be overcome?
Patrick Reichmann: There are two main challenges that have evolved over the last years.
One of them is that today's organisations have become more and more global and these global organisations want to follow harmonised processes, global processes. That's where the issues come into play - where they have to face multiple, different regulations and standards in various countries. To incorporate all those requirements into harmonised processes is one of the big challenges, I think.
The other challenge would be that these complex processes still have to be efficient in order to allow efficient, compliant operations. That's where the regulatory side is challenged by the business to create efficient processes for the business to operate globally.
Pharma IQ: How are these challenges being overcome in the industry?
Reichmann: Usually what you would do to overcome these challenges is to have expert committees with representatives from various countries giving input into the design of processes. And to have a closed feedback loop with internal audits. So to speak, the auditors would compare the definition of processes with how they are implemented. And thus allow the gap to close between theory and reality.
Basically, you simply allow yourself the time to check that you maintain and improve your process continually and see where you have still room for improvement or efficiency gains.
Pharma IQ: What are the key steps in applying the ISO 27000 framework in order to advance and demonstrate information security and privacy?
Reichmann: That's a good question. Actually the ISO 27000 framework is outlined according to the Plan-Do-Check-Act model. The key is to set up an Information Security Management System, which means that you have to first identify the information assets which are everything that has value to your organisation.
Next you have to look for these assets in all the processes and identify the security requirements for those. Given those assets, you can then assess the information security risks for each. And the last step would then be to extend the existing procedures which have not been centred around security aspects yet, and take proper security controls for these assets.
If you have these controls in place you can evaluate their effectiveness and see how big the remaining risk is and accordingly plan to extend them. You can then monitor and improve the effectiveness of these controls and go back and see if the remaining risk is acceptable or not. Which means going back, with the knowledge gained, to start from the beginning and apply additional controls.
Pharma IQ: How can companies be prepared for the upcoming demands of their customers?
Reichmann: It's important to safeguard your existing legacy product. If there's one key aspect in security management these days it's that hackers know that outdated, old products have not been designed with security in mind and those products will be the main targets in the coming years for malicious attacks.
So it's important for companies to not only look forward and at new products but also to check and do a risk assessment of existing products that are on the market. Realistically, those products will be on the market for many years to come and I see many effective threats coming to those legacy products which have not been safeguarded, which would then cost a lot of money to companies.
Pharma IQ: What do companies need to know before regulatory submission?
Reichmann: That is naturally dependent on the country where you try to achieve regulatory submission. It's a very diverse and big topic which can't be answered in a few minutes. But, from a general point of view, a good starting point for successful regulatory submission would always be a properly implemented and maintained Quality Management System. Because this Quality Management System will allow you to create the necessary deliverables and records that you need for regulatory submission. This, in combination with information from the notified bodies or the competent authorities where you want to register your product, will give you the necessary inputs for your successful regulatory submission.