Presentation is loading. Please wait.

Presentation is loading. Please wait.

FiHTA Kyberturvallisuus ja US FDA - saanko luvan? 11.3.2016 Tom Ståhlberg Johtaja, Viranomaisasiat Vt. Toiminnanjohtaja FiHTA, Terveysteknologian liitto.

Published byCora Garrett Modified over 8 years ago

Similar presentations

Presentation on theme: "FiHTA Kyberturvallisuus ja US FDA - saanko luvan? 11.3.2016 Tom Ståhlberg Johtaja, Viranomaisasiat Vt. Toiminnanjohtaja FiHTA, Terveysteknologian liitto."— Presentation transcript:

1 FiHTA Kyberturvallisuus ja US FDA - saanko luvan? 11.3.2016 Tom Ståhlberg Johtaja, Viranomaisasiat Vt. Toiminnanjohtaja FiHTA, Terveysteknologian liitto

2 Software Increasingly in focus worldwide!

3 SW ollut aina mukana EU:n ja USA:n MD laissa Euroopan neuvoston direktiivi aktiiveista implantoitavista lääkinnällisistä laitteista 90/385/ETY Euroopan neuvoston direktiivi 93/42/ETY lääkinnällisistä laitteista, päivitetty direktiivillä 2007/47/EY Euroopan parlamentin ja neuvoston direktiivi 98/79/EY in vitro- diagnostiikkaan tarkoitetuista lääkinnällisistä laitteista MD/IVD määritelmä: software mukana alusta alkaen!! Mutta, voimakkaampi ja kasvava fokus >2005

4 Software ja viranomaiset? Vaikea pähkinä Lait, asetukset, tulkinnat ovat koko ajan olleet jälkijunassa Silti, valvonnan alaisia!!!

5 Software – ei erilaisuutta, erivapautta! Käyttötarkoitus Onko MD? Riskiluokitus Kuinka paljon vaaditaan! Oleelliset vaatimukset vs. general/specific controls Todista, että täytät vaatimukset! USA: 510(k), PMA, De Novo… EU: CE-merkki/rekisteröinti

6 The patient is the focus Products and services must be safe and effective

7 Mobile apps – software applications running on a mobile platform >> 100 000 mobile medical apps About 100 cleared by US FDA Reason for the rapid expansion: Innovative mean to improve health and health care Esim. Mobile (Medical) Apps

8 Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff Draft guidance, July 21, 2011 (several comments received!) Final version, September 25, 2013, revised 2014 ”Nonbinding recommendations” – still take it seriously! US FDA

9 Mobile medical app, when: meets the definition of a medical device AND intended to be used as an accessory to a regulated medical device OR to transform a mobile platform into a regulated medical device Mobile Medical Apps: FDA focus

10 Mobile apps used for facilitating health and wellness but which are not medical devices NOT a MD regulatory issue! When do regulations apply?

11 Mobile apps used for facilitating health and wellness but which are not medical devices NOT a MD regulatory issue! Mobile Medical Applications, but low risk US FDA Enforcement discretion When do regulations apply?

12 Mobile apps used for facilitating health and wellness but which are not medical devices NOT a MD regulatory issue! Mobile Medical Applications, but low risk US FDA Enforcement discretion Mobile Medical Applications, high risk same regulations as for any medical device When do regulations apply? ”Tailored approach supports innovation while protecting consumer safety”

13 Focus its regulatory oversight on a subset of mobile medical apps with greater risk to patients The majority are thus not to be subject for enforced requirements under the Federal Drug and Cosmetic Act (enforcement discretion) no manufacturer licensing, no product filing however, if goes wrong... however, strong recommendations to have QMS according to QSR US FDA focus

14 Separate lists: Examples the FDA has cleared or approved Examples for which the FDA will exercise enforcement discretion In the Guidance: Examples that are not medical devices Examples enforcement discretion Examples FDA regulatory oversight focus How can you know?

15 Mobile apps controlling infusion pump Mobile apps acting as remote control or synchronization for computed tomography or X-ray machines Mobile apps controlling: implantable neuromuscular stimulator, cochlear implants, inflation/deflation of a blood-pressure cuff Mobile apps displaying, transfering, storing or converting patient-specific MD data from a connected device (e.g. bedside monitors, remote monitoring of labor progress) US FDA regulatory focus, examples

16 Mobile apps are then subjected to all requirements depending on their device class! (21 CFR) Class I: General controls Establishment registration, MD listing (Part 807) QSR (Part 820) Labeling requirements (Part 801) MD reporting (Part 803) Premarket notification (Part 807) Reporting corrections and removals (Part 806) IDE if clinical studies of investigational devices (Part 812) Class II; General controls, specific controls, for most Premarket notification Class III: General controls and Premarket approval (Part 814) MD in regulatory focus??

17 “Summary of Problem and Scope: Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates” Kyberturvallisuus – kohteet

18 Esimerkkinä kyberturvallisuus - ei vielä/ajan kysymys? “The FDA is not aware of any patient injuries or deaths associated with these incidents nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time” vai? “FDA: “We are aware of hundreds of devices involving dozens of manufacturers that have been affected by cyber security vulnerabilities or incidents” “Veterans Affairs Department: Experienced 122 virus / malware infections in medical devices the last 14 months that had potential to harm patients” “Department of Homeland Security: …reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors” Tietoturva??

19 FDA herännyt tähän: Hacktivists (i.e., anonymous individuals) wishing to cause service interruption Thieves desiring to sell or monetize personal health information, engage in identity theft, commit financial fraud against individuals and/or the health care organization, or defraud Medicare and/or Medicaid Malicious groups or individuals seeking to cause harm to patients (possibly targeting VIP patients) or seeking to damage the health care organization’s brand Malware which evades existing antivirus engines and rules but is not specifically targeted at medical devices Kyberturvallisuus – ei kai kukaan hyökkäisi terveysteknologian kimppuun?

20 Kyberturvallisuus – Osaako teollisuus? Review of 41 Cybersecurity deficiencies: 32 of 41 (78%) deficiencies indicated that no cybersecurity information was provided in the file (including wireless security) 9 of 41 (22%) cybersecurity information provided was not sufficient Summa = 100 % ….

21 Kyberturvallisuus - Premarket

22 Kyberturvallisuus – Premarket

23 Kyberturvallisuus

24 Kyberturvallisuus – Post market

25

26 Kyberturvallisuus – Overall

27 Risk management- include cyber security throughout life cycle Quality management system - processes to cope with cyber security Submissions- cyber security risk mitigation Post market- processes for identifying and acting on cyber security issues

28 Kyberturvallisuus

Download ppt "FiHTA Kyberturvallisuus ja US FDA - saanko luvan? 11.3.2016 Tom Ståhlberg Johtaja, Viranomaisasiat Vt. Toiminnanjohtaja FiHTA, Terveysteknologian liitto."

Similar presentations

Geneva, Switzerland, 25-26 September 2012 Mobile Medical Applications The FDA Regulatory Approach Prof. Lucien Rapp, Avocat au Barreau de Paris, Watson,

Geneva, Switzerland, September 2012 Mobile Medical Applications The FDA Regulatory Approach Prof. Lucien Rapp, Avocat au Barreau de Paris, Watson,
Regulatory Pathway for Platform Technologies

Regulatory Pathway for Platform Technologies
Determining the Regulatory Pathway to Market Classification Heather S. Rosecrans Director, 510(k) Staff Office of Device Evaluation Center for Devices.

"Determining the Regulatory Pathway to Market" Classification Heather S. Rosecrans Director, 510(k) Staff Office of Device Evaluation Center for Devices.
Strengthening the Medical Device Clinical Trial Enterprise

Strengthening the Medical Device Clinical Trial Enterprise
510k Submission Overview Myraqa, Inc. August 22, 2012.

510k Submission Overview Myraqa, Inc. August 22, 2012.
Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroup’s views REGULATIONS SUBGROUP PLAN June 14,2013.

Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroup’s views REGULATIONS SUBGROUP PLAN June 14,2013.
CBER 1 Blood Establishment Computer Software (BECS) Michael Gorman, BA, MT(ASCP)SBB Consumer Safety Officer, CBER, OBRR, DBA September 15, 2009.

CBER 1 Blood Establishment Computer Software (BECS) Michael Gorman, BA, MT(ASCP)SBB Consumer Safety Officer, CBER, OBRR, DBA September 15, 2009.
Introduction to Regulation

Introduction to Regulation
Medical Devices Approval Process

Medical Devices Approval Process
CDRH Software Regulation

CDRH Software Regulation
Requirements for Premarket Submissions: In vitro Diagnostic Instrumentation and Software Related to Donor Screening and HIV Diagnostic Assay Systems Diane.

Requirements for Premarket Submissions: In vitro Diagnostic Instrumentation and Software Related to Donor Screening and HIV Diagnostic Assay Systems Diane.
The FDA Landscape AdvaMed September 2008 Judith K. Meritz

The FDA Landscape AdvaMed September 2008 Judith K. Meritz
+ Medical Devices Approval Process. + Objectives Define a medical device Be familiar with the classification system for medical devices Understand the.

+ Medical Devices Approval Process. + Objectives Define a medical device Be familiar with the classification system for medical devices Understand the.
Center for Devices and Radiological Health U. S. Department of Health and Human Services Al Taylor Acting Chief, Medical Electronics Branch Office of Science.

Center for Devices and Radiological Health U. S. Department of Health and Human Services Al Taylor Acting Chief, Medical Electronics Branch Office of Science.
Weaving regulations into sound value analysis processes Barbara Strain, MA, SM(ASCP) Director Value Management University of Virginia Health System.

Weaving regulations into sound value analysis processes Barbara Strain, MA, SM(ASCP) Director Value Management University of Virginia Health System.
Radiological Devices Advisory Committee Meeting November 18, 2009 John A. DeLucia iCAD, Inc.

Radiological Devices Advisory Committee Meeting November 18, 2009 John A. DeLucia iCAD, Inc.
FDA Recalls Risk Communication Advisory Committee David K. Elder Director, Office of Enforcement.

FDA Recalls Risk Communication Advisory Committee David K. Elder Director, Office of Enforcement.
Executive summary prepared by some members of the ICH Q9 EWG for example only; not an official policy/guidance July 2006, slide 1 ICH Q9 QUALITY RISK MANAGEMENT.

Executive summary prepared by some members of the ICH Q9 EWG for example only; not an official policy/guidance July 2006, slide 1 ICH Q9 QUALITY RISK MANAGEMENT.
FDASIA REGULATIONS SUBCOMMITTEE May 22, 2013. Agenda 4:00 p.m.Call to Order – MacKenzie Robertson Office of the National Coordinator for Health Information.

FDASIA REGULATIONS SUBCOMMITTEE May 22, Agenda 4:00 p.m.Call to Order – MacKenzie Robertson Office of the National Coordinator for Health Information.
1 THE UNIQUE ROLES OF IRB IN MEDICAL DEVICE CLINICALL TRIAL Chiu Lin, Ph.D. CITI, May, 2009 CITI, May, 2009.

1 THE UNIQUE ROLES OF IRB IN MEDICAL DEVICE CLINICALL TRIAL Chiu Lin, Ph.D. CITI, May, 2009 CITI, May, 2009.

Similar presentations

Ads by Google