Cloud based solutions in the medical device industry

Weighing the Risks and Benefits of the Cloud

By Maria Fontanazza
1 Comment
Cloud based solutions in the medical device industry

Device manufacturers are concerned about data availability and security, as well as risk to their brand.

If you’re one of the 2 billion smartphone users on this planet, you’re well aware of the fact that nearly everything you do, from banking to making flight reservations to ordering groceries can be accomplished using this handheld gadget. Over the past decade, countless businesses have gone paperless, shifting their data to the cloud. But in the medical device industry, the move to cloud-based solutions can be scary. Companies continue to house stacks upon stacks of paper documentation for a variety of reasons—concern of data security, compatibility of cloud-based solutions with their own internal systems, and less control over the entire infrastructure. Next week, MedTech Intelligence and Alexandre Alain, life science product manager at Verse Solutions, hope to answer some of the questions that device manufacturers and suppliers may have during a webinar on September 30, “How to Effectively Deploy a Cloud-based Compliance Solution for Regulated Industries.”

“We’re going to look at different solutions and strategies. When customers are working with cloud solutions, some of them believe they can turn the switch on and then we’re done,” says Alain. “There are still a lot of internal tasks that need to be executed to ensure that the solutions are compliant.” Alain shared some of his insights with MTI.

MedTech Intelligence: From the perspective of medical device manufacturers and suppliers, what security risks do they see with cloud-based solutions?

Alexandre Alain: In the medical device industry, there are many benefits to cloud solutions, but there are also challenges. Several risks come to mind:

  • Loss of data, stolen data or corrupted data
  • Availability of the system
  • Risk to the patient, to the product and to a company’s brand

Device companies have many questions on the security side, because it seems like they have less control when using cloud solutions. They feel like they have more control over their infrastructure when it’s inside their firewall. In reality, risk exists on permanent installations as well. A good cloud solution will have the same controls in place that you would have internally for aspects such as record keeping, security, availability of the data, and retention of data.

REGISTER for the Free Webinar: How to Effectively Deploy a Cloud-based Compliance Solution for Regulated Industries | Wednesday, September 30 | 1 pm ET

MTI: What are the top five considerations when assessing cloud-based solutions?

Alain:

  1. Understand your need and what comes with the solution. You still have to do your own work and have clear requirements of why you need that system. It’s also important to have an understanding of what the provider and the solution will give you.
  2. Look carefully at the security. Make sure the availability of data and integrity is there. This is a critical Part 11 requirement. Make sure the provider has measures in place to maintain user access, and data location, maintenance and recovery.
  3. Look at the supplier quality system. Have an SLA [service level agreement] and quality agreements in place. As a medical device company, we have quality systems, and this is a key element from the cloud solution provider. They need to have a quality system and provide you with a quality agreement or SLA to ensure they have a change control in place, along with backup recovery, disaster recovery, etc.
  4. Look at internal requirements and IT requirements. Cloud solutions are attractive, but [using them] doesn’t mean you don’t have to do anything more internally. For example, the cloud solution will provide validation documentation, but that doesn’t mean you don’t have to do it internally as well. Make sure you look at what you still need to do internally and that you have the right people in place. It’s the same for IT requirements—you still need internal IT support on your side.
  5. Have an exit strategy. What if at one point you don’t want to use that provider any more? Make sure there are tools in place so it’s easy to get your data back.

MTI: What are the hurdles to adoption? Are there challenges in securing buy-in for cloud-based platforms?

Alain: If we look at finance, IT or management departments, it’s easy to get their buy-in. They see the costs saving in maintenance and the other benefits. Many large companies are moving to the cloud, and it’s seen as less risky. From that side, I think IT is asking to go there and outsource some of their responsibilities.

Where I see a bigger pushback is on the quality side. I understand—I’m part of quality and I know that environment. For many reasons, it is a challenge, and it is difficult to go there, because we see a risk. But is there anything in life without risk? We have to make the proper decisions, assess the risk, and come up with a mitigation plan to make sure we control that risk. There’s a lot you can do to remove those challenges and risk, but there is a lot more [convincing] there to get into those cloud solutions.

Again, cloud solutions are not a miracle. You still have to assess the information and what the cloud solution provides and do your own work. Make sure you would provide the same documentation as you would for an on-premises installation.

About The Author

Maria Fontanazza, MedTech Intelligence

Comments

  1. Jesse Shearin

    Firstly, I would like to thank Msr. Alexandre Alain and Ms. Patty Murray for hosting such an informative webinar. This topic is on the minds of many medical device manufacturers, and there are not a plethora of resources yet. Cloud-based solutions will certainly bring a great deal of value to patients, whose conditions can potentially be monitored real-time and whose data can be easily shared with multiple experts around the globe in an instant, thereby enhancing diagnostic practices. Within a cloud-based solution is embedded another topic that I hear weekly as a medical device Safety Engineer involves how to demonstrate compliance to Regulatory Bodies with regard to cyber-security. Currently, the onus is on med device manufacturers (whom are the experts on their devices) to show safety in case of loss of data integrity and security through Risk Management exercises, including simulated use environment testing to identify breaches and potential risks. Another great resource is the FDA whitepaper on the subject. While there are several security researchers that have designed multiple schemes to ensure the security of wireless medical devices, as of now there is no single standard outlining cyber security protocols. However, an IMDRF work group is meeting in Tokyo and working on a harmonized standard. No word as of yet regarding when it will be published. A tertiary concern is which wireless technology to use. Will it be WiFi, Bluetooth, Cellular, LoRa, or some new low-power RF technology? The wireless capable device space, or Internet of Medical Things (IoMT) is the new Wild West for medical devices. It is important to be proactive and lead the way through the regulatory maze instead of waiting for other companies to chart a path. Contact regulatory bodies and share resources with your medical device network! Does anyone have other resources or success stories to share about the wireless device regulatory environment?

Leave a Reply

Your email address will not be published. Required fields are marked *