The two legged stool of “safety and efficacy” just got a third leg that no one is talking about! Read on past the hype to find out what this perilously neglected “new leg” is, and how, in the FDA’s opinion, “no one” is addressing it well yet.
The Hype Surrounding AI in Medical Devices
AI: Limited Applications in Medical Devices
Everyone is obsessed with Artificial Intelligence. While AI in general, and generative AI in particular, already have many fascinating and useful applications, it turns out that medical device applications of AI are still rather limited.
Behind this is the reality that many FDA clearances of “AI/ML” (Artificial Intelligence and Machine Learning) are:
- In the radiology space based on a particular 2012 breakthrough in image processing—a far cry from permeating every domain yet.
- “Locked,” that is AI was used to create a model, but the model was validated using traditional techniques.
The FDA’s predetermined change control plan (PCCP) guidance is useful, and yet the biggest point that the FDA makes really seems to be that outputs from medical devices need to be… predictably bounded for safety and efficacy.
The Overlooked Discipline: Medical Device Cybersecurity
While AI is hot and ultimately worthwhile to pursue long-term, the reality is that the hype surrounding AI is going to leave a vast swath of broken dreams, while the far more addressable discipline of medical device cybersecurity goes relatively ignored and unaddressed.
The Reality of Cybersecurity in Medical Devices
FDA’s Take on Cybersecurity: An Industry Wake-Up Call
At MedCon in Columbus Ohio in May 2024, Matt Hazlett from FDA presented the FDA’s current take on industry’s response to cybersecurity guidance… and let’s just say, it wasn’t pretty. In Matt’s words, “no one” is doing cybersecurity well.
At in2being, it’s our goal to change that, and we recognize that this is a new area for everyone. So, why might this be? Why is industry having such a hard time getting FDA’s blessing by FDA’s own admission?
Key Challenges in Cybersecurity Compliance
There are at least three things going on here:
1. The “Google Test”
As Matt made clear to those of us assembled at MedCon, FDA is encouraging it’s reviewers to use “the google test”… if a company says that they’re using, say md5 checksums for security, the reviewer might google “is md5 secure?”… what they’ll get back are answers from the web suggesting that md5 is no longer considered secure. In the long development cycle of medical devices, this could cause a problem for your development team, as technology is always changing, and some part of your system developed 4 years ago might not pass muster today. This “google test” also ignores the reality that for certain uses, md5 might be usable for other non-security related tasks.
2. The “Third Leg” burden of Cybersecurity
The second barrier appears to be what I’m calling the third leg of the stool.
For years, those of us in the industry have understood that there are basically two “questions” for medical devices… safety and efficacy. Now, certainly, 510K clearances are based on substantial equivalence… but this is simply a surrogate for safety and efficacy… and as technological changes emerge, any lingering questions of safety and efficacy must be addressed through testing. This “two legged stool” of safety and efficacy is NO LONGER the standard.
I had a very brief chance to chat 1:1 with Dr. Jeff Shuren, the always thoughtful, practical, and down-to-earth head of FDA’s Center for Devices and Radiological Health (CDRH) the other day at the REDI conference. Having shared my impression that FDA had added a third leg to the stool, that the standard had become “safety, efficacy, AND reasonable assurance of cyber impenetrability,” Jeff confirmed that this was a reasonable way to look at the situation.
As Matt Hazlett had pointed out earlier, cybersecurity is not to be confused with Risk Analysis. Cybersecurity is not a subset of risk analysis, and furthermore, cybersecurity is not only concerned with whether a cyber vulnerability could cause patient harm, or whether a hacker might be interested in hacking the system. Cybersecurity in the FDA’s eyes is ONLY interested in what will happen WHEN the system is hacked. As a result, products that have any potential to connect to the internet need to view cybersecurity as the new third leg on the stool in addition to traditional activities such as standards compliance and risk analysis.
3. Lack of Familiarity with Industry Threat Models
Finally, the FDA has whole-heartedly embraced industry cyber threat models (such as STRIDE, Attack Trees, Kill Chain, and DREAD). While most medical device developers aren’t yet familiar with these, they provide a much needed framework (and some choices) to the development team.
Additionally, the cybersecurity landscape continues to shift and new threats are being discovered and new threat models are being developed to adapt to the constant change.
Embracing Cybersecurity: The New Frontier
There’s A LOT of work to be done. Cybersecurity is the next frontier hidden in plain sight. If you have a microprocessor in your medical device and any communication with the outside world, it’s time to embrace cybersecurity and get compliance into your plan.
Do you have questions about the potential impact of these changes? Are you wondering how this could pertain to your medical device? Contact us to get your questions answered.