Cybersecurity Qs MedTech Innovators Ask: Christian’s Hot Seat | Ep. 48

Hello and welcome back to another episode of the Med Device Cyber Podcast. This one is going to be a little bit different from our typical flow. We're putting Christian in the hot seat and running him through some of the questions that we see come up all the time as frequently asked questions with MedTech innovators, and seeing how he does and how well he knows all of these processes. All right, we'll start off with a good one and a very important one. Could you give us a little description of what ISO 13485 is? ISO 13485 is the standard for a quality management system, and how to set that up, what should be in that system, and what the foundational components of that system are. The whole idea is that when you have a medical device, you need to have a QMS, or some sort of system, that has basically all the information about the medical device: the design history files, the cybersecurity documentation. The whole idea is, I have all this stuff organized in a very logical manner so I have traceability for when the device is in the market, traceability for when it was designed, how it was built, how it was tested. I have that full visibility and traceability in the system. Then, when a problem comes up with the device, I feed that into the quality management system, and we have the evidence of what we did to reconcile that problem and make sure the risk is at an acceptable level. For example, if we had to mitigate the risk and how we did that and the history of that, or if we decided the risk was already at an acceptable level and we didn't need to take any action. Excellent. Yes, that's a perfect way to put it. We're trying to make sure that we have quality, repeatable, and secure processes. It's often one of the bigger frustrations for working with healthcare and MedTech devices, just since it's a little bit unique to regulated spaces, for sure, but very important. All right. Now, what is the most common reason that medical devices get rejected by the FDA? Lately, in the past year or so, the most common reason is cybersecurity – actually, insufficient or inadequate cybersecurity, I should say. Yes, exactly. All right. Now, could you give us a little bit of a summary of the description between SAMD and SIMD products? Oh my goodness. SAMD is Software as a Medical Device. So, this would be some sort of software that may sit on the cloud; it could be some sort of AI image enhancement tool that takes an ultrasound image, sends it up to the cloud, and the software component runs AI through it and does some image enhancement for something like a vascular disease. So the physician can look at the image and see the vascular portion much better than just through the ultrasound or an MRI. A SIMD is Software in a Medical Device, and that is basically a medical device that has software inside of it. This could be like a patient monitoring system that has software inside of it. The Software as a Medical Device is only software, so there's no hardware component with it. The patient monitoring system is a good example; it's the hardware, and the software running in that hardware. Yes, exactly. Okay, so I was on the right track. All right. Now, here's a question that I actually got last night at dinner, believe it or not. This was at the Georgian Calian dinner, and I was talking with a startup innovator that has a new product that they're just about to gear up for their 510K. We were talking about what cybersecurity needs to go into it, and he asked, "Well, I have HIPAA compliance. Is that going to work for the FDA?" I told him, "No, it's not." So, what are some of the differences between what HIPAA looks for and what the FDA looks for? There are some stark differences. The FDA is primarily concerned with patient safety, meaning, if I can hack into this medical device, what harm can I cause to a patient? That is a primary lens the FDA is looking through. HIPAA, in contrast, is related to protected health information. It has nothing to do with patient safety. It's like, is my charting about my diagnosis protected? Is my insurance protected that's in the hospital for my treatment? And those are two very different things. I think this is a commonly misunderstood concept with MedTech cybersecurity. People often think it's about the data, which is HIPAA. The data is important, but it's secondary to patient safety. I like to give an analogy: if I've got a defibrillator and somebody has hacked into it remotely through Med Radio or whichever radio means, and they're shocking me to death while at the same time somebody's stealing my health records, do I actually care that they're stealing my health records, or do I focus on being shocked to death? Yes, that's an important triage decision to make: what should you deal with first? And I think hopefully most people come to the same answer on that. Right, I can recover from my protected health information or my HIPAA data being stolen, but I can't recover from death, not yet. They may come up with a solution for that later on. Yes, well, that's going to be the real MedTech innovator that figures out how to reverse death. So, we're waiting for that one to come by. All right, and then a little bit of a curveball in the same vein: what does HIPAA stand for? HIPAA is Health Information Portability and Accountability Act. I thought it was Health Information Privacy Protection for the longest time. And so I had to actually move it from here to there and keep it protected is what I understand. Did I get the acronym right? You did. Yes, no, I had the wrong answer on it, and I had to double-check. All right. So, we have one more question that I wanted to run through with you here. When we're looking at a lot of these different MedTech regulators and medical device regulators, we often see that many of them come back with slightly different standards. Who typically has the most strict cybersecurity requirements, and who can be thought of as kind of the industry leader in that space? A little bit of a trick question. Typically, I would say it's the FDA, which basically borrows from the IMDRF but has elaborated on that quite a bit. And then I say typically because I know China has some stringent requirements as well. So I would say between those two, but I think the FDA is more global-reaching than China, which is more specific to China. Yes. Ironically, if you're FDA cleared, you can sell your device to the Hong Kong market, which is a special administrative region of China. And then once it's been adopted in the Hong Kong market, then it can be sold to the China market and bypass Chinese approval. Yes, which is especially a good strategy to take, considering oftentimes Chinese clearance for the NMPA requires a complete device overhaul, as opposed to some minor documentation modifications, which may be the case, say, going from the US to South Korea. Going directly from the US to China, you need to pretty much strip out all of your encryption, start over; everything needs to be Chinese cyber law compliant in addition to NMPA compliant. That's right. All right. Well, this was a little bit of a quick rundown on a couple of the most frequently asked questions that we get from MedTech innovators. I want to see if you had any additional thoughts or closing comments and then go from there. I don't have any really additional thoughts. You took it kind of easy on me, especially compared to the hot seat I put you through, but that's okay. Unless you have, you can ask me one more if you want. It can be on any topic; it doesn't have to be specific to MedTech. All right, on any topic not specific to MedTech. When was the last time Phoenix had snow? I think it was 1984. I believe it was 1990. Oh, okay. I just made up 84. So, I don't actually know. I've only been in Phoenix for like a couple years. Oh, that's close. Closer than you. Close. Yes, a lot closer. I know. Not sure where I was getting that one from. I know I spent a lot of time in Tucson when I was a kid, and they would always get snow, and my grandparents live in Tucson, and they would say, you don't get that up in Phoenix. And so that was why we would always go there instead. Yes, well, the good thing about Phoenix is you can drive an hour in pretty much any direction and you know, be up in the mountains and it can be like 30 degrees cooler and sometimes snowing up there. I don't know. Anytime I'm in Phoenix, I feel like I drive an hour in any direction, I'm still in Phoenix. You don't drive fast enough. I drive pretty fast in Phoenix. That city never ends, right? Maybe an hour and a half. My favorite trick is to show people that have never been to Phoenix, the time it takes on Google Maps to get from East Phoenix to West Phoenix and show them that is going 65 miles an hour on the interstate. Oh, I was looking at getting back into skydiving. There's a drop zone here in Buckeye. I'm never here though, but from my place in Tempe to Buckeye, and I'm kind of in central Phoenix area, Buckeye's on the west side. It's like 45 to 50 minutes. Yes, it is a huge sprawling city. Yes, and it's growing quite a bit still. Yes, yes, it's still one of the fastest-growing cities: Phoenix, Austin, Nashville, pretty much everything in Florida. Well, thanks for the questions. I think hopefully people found some value in the answers to these questions. These are pretty commonly asked questions, actually, as Trevor mentioned. We get these questions quite often, and because they're asked quite often, I feel like if we give the answers, then we can help raise awareness in the industry, which is part of our mission at Blue Coat Cyber: to raise awareness about cybersecurity. Because it is becoming, as Trevor alluded to – or we answered – one of the main reasons devices are getting rejected by the FDA and other regulatory bodies. So we want to help prevent that and do the best we can to make sure MedTech innovators are armed with the knowledge about cybersecurity, and the knowledge we're providing is actually actionable, and there can be some specific actions taken upon it to prevent their device from getting rejected or delayed to market. Awesome. Well, thank you all for tuning in and looking forward to seeing you the next time on the Med Device Cyber Podcast.