In late 2014, the FDA took a stance on the matter by releasing an updated guideline. This document addressed a fair number of data integrity issues, so it may require some clarification; firms with existing information security systems are also likely to benefit from its examination.
Functional Data Integrity
In its guideline, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," the FDA relies on a fairly common definition of (data) integrity. Essentially, data, software and other information should be accurate, and modifications should only be performed by qualified individuals.
What does this mean for a manufacturer? A section on Cybersecurity Documentation reveals that premarket submissions should feature summaries of software integrity controls. While the agency doesn't force manufacturers to adhere to specific control standards, it clearly wants to see them included in some form.
Vulnerabilities: Justifying Data Integrity
Many of the networks medical devices connect to are extensive. A diagnostic apparatus your firm produces could share bandwidth with a doctor's PDA, a patient monitoring terminal in a nurse's station and countless other medical devices. With relatively high numbers of access points, such networks run a higher potential risk. While you're not responsible for validating the integrity of the entire cloud network, you still need to play your part.
What kind of threats are most pertinent? The FDA's version of data integrity focuses on combating malware and other malicious or disruptive software. The driver software you install in a cardiac monitor, for instance, should be protected against hacks and exploits that deliver control of the device to an unknown third party. Where prevention is impossible, you're still responsible for detection, response and recovery procedures.
How Does Data Integrity Fit Into the Manufacturing Process?
Data integrity can't be an afterthought; for maximum efficacy, you should consider it in the early planning stages. For instance, thinking about where your device will be used might help you quantify specific threats. This practical approach allows you to build a more complete data protection mechanism from the ground up, addressing potential concerns as you develop the systems they pertain to.
Thinking about data integrity early on also makes it easier to comply with another FDA recommendation: Manufacturers should implement cybersecurity-focused design inputs that comply with 21 CFR 820.30(g)'s requirements for the design validation of software. It may also be wise to get to know FDA software validation principles at some point.
Does the FDA Offer Specifics?
Manufacturers are given a few suggestions, such as stipulating code authentication requirements for your device software updates and using appropriate encryption. Of course, such tasks are easier said than done, and the specifics of your execution directly impact your product's future.
Manufacturers that successfully maintain high levels of device data integrity do so by building on regulatory guidelines. By gaining intimate familiarity with recommendations, your organization can ultimately gain the ability to exceed them.
With the appropriate planning and documentation, you'll be able to navigate the premarket submission stage as well as bring a life-changing, beneficial product to market.
Posted in FDA & European Regulations