Eric Soederberg, president and CEO of Sunrise Labs, recently shared his insights on the benefits as well as hurdles in medical device connectivity in, “Adding Connectivity to Your Medical Device”, especially as it relates to connecting to external networks. In a consequent discussion, Soederberg sat down with MedTech Intelligence to offer more related advice on product design and cybersecurity vulnerabilities.
MedTech Intelligence: When designing connectivity into a device (or adding it), what are the common factors that device manufacturers do not anticipate?
Eric Soederberg: It’s easy to underestimate the impacts of simply adding connectivity to a device. Let’s say you have a diagnostic device used in a hospital setting. The motivation to connect your device might start with a desire to make your device easier to use and less susceptible to error by automating the otherwise manual transcription of your devices output to a patient record; go straight to the patient’s electronic health record (EHR). The concept is simple enough. However, several challenges are presented when you add a network connection to your device. First, the device’s vulnerability to cybersecurity threats becomes a real issue when a device is connected to a network. Not only do you have safety and privacy issues when the device itself is compromised, but the device could also be used as a conduit into the hospital’s network and put the hospital’s network at risk for compromise by a cyberattack.
Next you have the challenge of integrating into the hospital’s EHRs. It’s been said that “once you have talked to one hospital, you’ve talked to one hospital.” There is a plethora of health information systems (HIS) out there, often managed differently by different hospital systems. The present approach to achieve device integration is to first convince a hospital system that it needs your device, and then get the hospital to ask its HIS provider to integrate with your device. So in effect, a manufacturer can sell that its device is ‘connectable’ but not that it is plug-and-play until after the hospital is committed to purchasing the device. There are data consolidators like Apple’s HealthKit and Microsoft HealthVault, and cross-platform standards that will help down the road, but no commonly adopted solutions yet.
Finally, and perhaps most importantly, when a device is connected to a network it becomes part of a System—a dynamic system that requires upfront consideration and likely infrastructure support to monitor performance and cyber-related events, response to those events including software upgrades, which cannot be done in a slapdash manner for medical devices. The business model has to support these activities, and there are many challenges as well as opportunities here.
MTI: Do a lot of manufacturers still think of connected devices as a “device” rather than a “system”? If so, what are the implications?
Soederberg: I think it is natural for companies that are accustomed to shipping devices and occasionally responding to MDR or MAUDE reports when they come in. Once a manufacturer has the ability to gather near real-time data on the use of their devices it opens up lots of opportunities, and some liabilities as well. The FDA will require monitoring of cyber-related compromises—this is in a draft guidance now and is expected soon. Other non-mandatory opportunities are available; for instance, a manufacturer could decide to monitor user-interface (UI) and user-experience metrics that enable UI design improvements.
MTI: What interaction should be occurring between manufacturers and healthcare providers to address cybersecurity vulnerabilities in systems?
Soederberg: What’s nice is that the FDA has given us some guidance here, and much of the FDA guidance leverages the efforts of other federal agencies such as the National Institute of Standards and Technology (NIST). The NIST cybersecurity framework resulted from an [President] Obama initiative to improve our national infrastructure’s resilience to cyber threats and outlines a risk-based approach that manufacturers can follow to address cyber vulnerabilities. Part of the federal cyber initiative encouraged the establishment of public/private information exchanges called Information Sharing and Analysis Organizations (ISAOs), one of which is the National Health ISAC (Information Sharing and Analysis Center) where newly found cyber vulnerabilities and attacks are shared between all members, including healthcare providers and potentially all manufacturers. The bad guys share information on cyber vulnerabilities, so the good guys need to share information to limit the damage. Hospitals will need to give manufacturers access to the data from the manufacturers’ devices when cyber events are detected and logged; the FDA expects manufacturers to include this feature in devices. Allowing manufacturers to access this information will be important to responding quickly to newly discovered vulnerabilities.
MTI: What post-launch challenges do manufacturers face?
Soederberg: I like to look at it as post-launch opportunities. The connectivity allows the manufacturer to stay connected to their device and the end users. Look at what other industries are doing. Some smartphone apps send updates monthly or even more often, hopefully making the app better at each release. The challenge in the medical device arena is to not hurt a patient and document the validations done to prevent it.