Cybersecurity Labeling and MedTech Transparency | Ep. 25 - Full Transcript | The Med Device Cyber Podcast

Hi, welcome back to another episode of the Med Device Cyber Podcast. Today we're talking about a complex yet simple concept: labeling. Specifically, we're discussing cybersecurity labeling. We're going to hit on some of the main points about what labeling is, common misconceptions, and how a manufacturer should approach labeling. We'll also touch upon the MDS2, which is a common form people ask questions about. So, that's the objective of today's podcast. I'm your host, Christian Espinosa, coming to you from Florida today. I got stuck here for a couple of days, so I've got a portable setup. And I've got Trevor here. I don't know where Trevor is today, actually. Where are you today, Trevor? You've got those weird wooden background things. Yeah, I'm in Arizona for today, off to California tomorrow. All right, awesome, cool. So, as far as a definition of labeling goes, what would you, or how would you describe labeling, Trevor? So, labeling is the information that a manufacturer or a MedTech innovator needs to portray to users and patients. This is essentially, under the cybersecurity context, what risk are they taking on by using the product, and how can they work to mitigate that risk? And then, just as well, generally any information about the product from a cybersecurity or software perspective that would be helpful for users to know. So, this is in the act of transparency because the FDA is pretty big on transparency. So, we're trying to make the risk transparent to somebody purchasing one of these medical devices. Is that a fair statement? Okay. We're looking at, you know, you're going to want to know if you're buying a car if it tends to be in a lot of accidents because there are a lot of broken parts. You want to know if you're buying a phone. Like, you remember when the Samsung phones were exploding for a while? Yes. You'd want to know if you were buying, I think it was just the iPhone versions though, wasn't it or something? No, it was the Samsung Note something. The batteries would puff up and explode, and so you'd want to know if you were buying a phone with one of those batteries. There might have been other phones, but anyways, so you want to be aware of what's going on in the product that you buy. This is just an effort to try to portray that risk. It's also a way to keep manufacturers accountable. So, if they have to disclose any risk present in the system, they're obviously going to want that risk to be minimal. Otherwise, they're likely not going to be purchased due to the fact that they impose a very high risk to the user or to the patient. So, it's that two-fold area of making sure that users and customers are well-informed, and they know what's going on in their product, and keeping manufacturers accountable and making sure that they do their best to disclose minimal risk since they shouldn't have very much risk. So, it's really to help the consumer of the medical device, which is typically a healthcare delivery organization, make an informed decision. If they're comparing two different products and they have a specific risk appetite, they have a little more transparency into the risk associated from a cybersecurity lens with either device. Exactly. Good cybersecurity labeling is also going to contain instructions on best practices for use, integrating it into an existing hospital network, any optional configurations that may be security-relevant, and when you should use them. So, good cybersecurity labeling is not only conveying potential problems but saying, here is a way to fix those problems. Here's how you make sure that you're setting up this product safely. So, good cybersecurity labeling is going to cover all of these different areas. Yeah, and how does the MDS2 fit into that labeling? It's a good idea to take a bit of a standardized approach when it comes to cybersecurity labeling, and an MDS2 is part of that. So, that stands for Manufacturer Disclosure Statement for Medical Device Security. And what that is essentially saying, it's a questionnaire. I think it's about 180 line items, and it's different questions about the product document basically that a manufacturer has to fill out to disclose certain things, like what type of encryption you have, what type of authentication you're using. So, the same concept, it's a labeling to inform a consumer of the product or the medical device, like what the risks are and what protections are there as well. It ties closely into things like NIST certification, ISO 27001 certification. And in the template for an MDS2 put out by NEMA, you can see actually which items need to be met by certain compliance standards and the actual section out of those standards. So, if you're ISO 27001 compliant, you can translate that directly into your MDS2, and it'll show you which boxes you can tick with that compliance and then exactly where it comes out from. So, it takes a standardized approach, which is really great to pull in other standardized approaches recommended by the FDA. And so the cybersecurity labeling side of things shouldn't be a very complicated process as long as you have your quality system and your just general compliance setup beforehand.