I recently caught up with my buddy Randy Horton over at Orthogonal, and we did a deep dive into the evolving landscape of cybersecurity, cloud computing and medical devices.
There’s some exciting stuff happening in this space, and Randy spilled the beans on a couple of essential documents that you definitely want to keep on your radar:
First up, we’ve got the CR510, Appropriate use of public cloud computing for quality systems and medical devices, a new document from the Association for the Advancement of Medical Instrumentation (AAMI) that provides guidance regarding the appropriate use of public cloud computing both as a component of medical devices and in support of quality systems.
In layman’s terms, it delves into the nitty-gritty of moving functions of your actual medical device into the cloud.
Now, I realize the thought of that may make you break out in a cold sweat – I mean, how can you implement change controls for software functions that reside in the cloud, right? – but it actually does make better sense than trying to maintain everything on your own servers.
Think of it this way: the likelihood of Amazon or Microsoft or Google losing internet conductivity, losing power, or having an AC system go out and having the servers overheat is slim to none. They’re working at such unbelievable economies of scale that they just do these low-level things better than a manufacturer could ever do in house, and they’re making thousands of updates a day to their platforms, constantly updating all of them in ways to make it faster, better, cheaper, more secure.
Do you really think medical device manufacturers can match that?
Of course, cloud computing requires manufacturers to take a risk-based approach when connecting their devices. They will no longer be in complete control of their devices, and that’s OK. A revolutionary concept for risk-averse medical device manufacturers, right?
Randy also hinted at the PIR115, the technical information report that’s currently in the works. This will be the “how-to” guide that follows up on CR510, and the FDA has joined the party – woot woot! – so we’re hoping this document becomes the golden ticket for navigating the marriage of cloud computing and medical devices. It’s still in the editing phase, aiming for a Q1 release, so keep an eye out for that one.
Now, remember, the cloud functions as a procured service that provides essential support functions, so if you’re not already besties with your cloud vendor, you should bel albeit besties with a service line agreement, a quality agreement, and lots of clarity regarding their processes.
That’s really the only way to live in this cloud-dominated world – adapting without expecting to change the game entirely.
Randy also mentioned that there’s a call for industry to step up and possibly create a certification process for cloud centers catering specifically to medical devices. It’s a shift towards supplier management and a closer examination of your cloud architecture that could go a long way toward relieving ongoing concerns about cybersecurity.
Want to do a deeper dive into cloud computing and medical devices? Check out the podcast: https://leanraqa.com/podcast with Randy Horton.
This conversation with Pat Baird last year goes even deeper: https://youtu.be/q7LMUTWSqZM.