Playback speed
×
Share post
Share post at current time
0:00
/
0:00
Transcript

LTR 73: It's time to up our game on medical device cybersecurity

Deep insights from a conversation with Eric Henry.

Summary

“Medical devices are now increasingly connected in a hospital network. Or even if they are not, they are vulnerable to cyber attacks”.

In this episode of the Let's Talk Risk Podcast, Eric Henry highlights the growing concern about security and cybersecurity of medical devices. As technology evolves and medical devices increasingly operate in an interoperable environment, security vulnerabilities, when exploited, pose a serious risk to patient safety.

In this 30 minute discussion, we discuss a wide ranging issues from differences in risk management approaches to the evolving regulatory landscape and expectations for cybersecurity. We also discuss how QA/RA professionals can position themselves to remain competitive in this rapidly changing environment.

Listen to the full podcast or jump to a section of interest listed below.

Chapters

00:00 Introducing Eric Henry

01:33 The Growing Importance of Data Security

06:35 Linking Safety and Security Risk Management

09:11 Current Practices in Security Risk Management

11:35 Differences in Terminology Between Security and Safety Risk Management

14:12 Regulatory Evolution and FDA's Approach

18:40 Post-Market Surveillance and Vulnerability Monitoring

21:10 Understanding Threat Modeling

25:16 Career Reflections and Lessons Learned

28:53 Advice for Quality and Regulatory Professionals

31:38 Closing Comments

Suggested links:

  1. LTR - Medical device cybersecurity now more critical than ever.

  2. LTR: AMA#1: Security risk assessment and vulnerability monitoring.

  3. FDA: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, Final Guidance, Issued September 2023.

Key Takeaways

  • Cybersecurity is a growing concern for medical devices.

  • The FDA has increased its focus on cybersecurity regulations.

  • Ransomware attacks pose significant risks to patient safety.

  • Data privacy is now considered part of risk management.

  • Threat modeling is essential for identifying vulnerabilities.

  • Post-market surveillance is critical for ongoing device safety.

  • There is a need for a common language between safety and security.

  • Regulatory authorities are evolving their guidance on cybersecurity.

  • Quality and regulatory professionals must enhance their technical skills.

  • Understanding the business context is vital for career advancement.

Keywords

Cybersecurity, medical devices, risk management, FDA, data security, threat modeling, healthcare, regulatory compliance, patient safety, vulnerability assessment, ISO 14971, TIR 57.

About Eric Henry

Eric Henry is currently the Senior Quality & Regulatory Compliance Advisor in the FDA & Life Sciences Practice at Kings & Spalding. In his current role, he provides advisory and management consulting services focused on regulatory compliance, enforcement and policy matters. Throughout his highly distinguished career spanning 35 years at leading MedTech companies, Eric has consistently led both the establishment of execution against strategic and functional goals. He is recognized as a thought leader in MedTech QA/RA space through his publications in leading journals and presentations at industry conferences.

Disclaimer

Information and insights presented in this podcast are for educational purposes only. Views expressed by all speakers are their own and do not reflect those of their respective organizations.

Let's Talk Risk! is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Let's Talk Risk!
Let's Talk Risk! with Dr. Naveen Agarwal
Every Friday, Dr. Naveen Agarwal leads a Let's Talk Risk! conversation with industry colleagues to discuss practical challenges and share best practices in risk management. In the highly regulated world of medical devices, most practitioners struggle with the "how" of risk management. Regulatory requirements are complex, confusing and ever changing. Establishing an effective risk management process that satisfies the scrutiny of regulators and auditors without creating barriers to innovation is a significant challenge in the industry. Dr. Agarwal believes that no single "expert" has all the answers, and it is only when we connect, share and learn from each other that we all become better. Let us keep learning together!