Key steps to advance medical device information security and privacy

Patrick Reichmann discusses how to address the key regulatory challenges in the medical device industry

Add bookmark

The medical device industry continues to evolve and adapt to new regulatory standards. In this interview, Patrick Reichmann, Quality Assurance & Regulatory Affairs Manager at Agfa Healthcare, shares his view on how to address the key regulatory challenges in the industry. He also offers advice on how to meet the ISO 27000 standards and why legacy devices will be a growing security concern in the coming years.

Read More: What does the future hold for regulatory information management?


Pharma IQ:   What are the main challenges being faced by companies in regulatory affairs?  And how can these be overcome?

Patrick Reichmann:  There are two main challenges that have evolved over the last years. 

One of them is that today's organisations have become more and more global and these global organisations want to follow harmonised processes, global processes.  That's where the issues come into play - where they have to face multiple, different regulations and standards in various countries.  To incorporate all those requirements into harmonised processes is one of the big challenges, I think.

The other challenge would be that these complex processes still have to be efficient in order to allow efficient, compliant operations. That's where the regulatory side is challenged by the business to create efficient processes for the business to operate globally.

Pharma IQ: How are these challenges being overcome in the industry?

Reichmann: Usually what you would do to overcome these challenges is to have expert committees with representatives from various countries giving input into the design of processes. And to have a closed feedback loop with internal audits. So to speak, the auditors would compare the definition of processes with how they are implemented. And thus allow the gap to close between theory and reality.

Basically, you simply allow yourself the time to check that you maintain and improve your process continually and see where you have still room for improvement or efficiency gains.


Pharma IQ: What are the key steps in applying the ISO 27000 framework in order to advance and demonstrate information security and privacy?

Reichmann: That's a good question. Actually the ISO 27000 framework is outlined according to the Plan-Do-Check-Act model.  The key is to set up an Information Security Management System, which means that you have to first identify the information assets which are everything that has value to your organisation. Next you have to look for these assets in all the processes and identify the security requirements for those.  Given those assets, you can then assess the information security risks for each. And the last step would then be to extend the existing procedures which have not been centred around security aspects yet, and take proper security controls for these assets.

If you have these controls in place you can evaluate their effectiveness and see how big the remaining risk is and accordingly plan to extend them. You can then monitor and improve the effectiveness of these controls and go back and see if the remaining risk is acceptable or not. Which means going back, with the knowledge gained, to start from the beginning and apply additional controls.

Related: Is the role of regulatory affairs being overlooked in the pharmaceutical industry?


Pharma IQ:  How can companies be prepared for the upcoming demands of their customers?

Reichmann:  It's important to safeguard your existing legacy product.  If there's one key aspect in security management these days it's that hackers know that outdated, old products have not been designed with security in mind and those products will be the main targets in the coming years for malicious attacks. 

So it's important for companies to not only look forward and at new products but also to check and do a risk assessment of existing products that are on the market.  Realistically, those products will be on the market for many years to come and I see many effective threats coming to those legacy products which have not been safeguarded, which would then cost a lot of money to companies.


Pharma IQ:  What do companies need to know before regulatory submission?

Reichmann:   That is naturally dependent on the country where you try to achieve regulatory submission. It's a very diverse and big topic which can't be answered in a few minutes.  But, from a general point of view, a good starting point for successful regulatory submission would always be a properly implemented and maintained Quality Management System. Because this Quality Management System will allow you to create the necessary deliverables and records that you need for regulatory submission.  This, in combination with information from the notified bodies or the competent authorities where you want to register your product, will give you the necessary inputs for your successful regulatory submission.


Pharma IQ:  What do you think will be the major trends in the regulatory side of medical device software in, say, the coming two years?

Reichmann:    There are two aspects which we will see in the next two years; that software is becoming more and more interconnected.  We are removing the boundaries of these software islands that we currently still see a lot in the medical device sector. Which means the connections, a common interface or technical language are necessary to overcome healthcare provider boundaries.

The other thing that will be more and more important is that systems will become more versatile. Information systems will have to deal with different kinds of data like different image types from various disciplines. That means departmental software will become less and less important, because the care providers will expect one-stop shops. That is, products which will be able to deliver data across the whole workflow.


Did you enjoy this article? Read our case study on how Sanofi automated their materials approvals process for 500 employees in just 3 months