POODLE, BEAST, Heartbleed: how secure is your “secure” medical device?

The ability to remotely view, configure, and / or control any modern medical device in today's interconnected world is taken for granted -- a device not having such capabilities right now might put the vendor at a great competitive disadvantage.

This added convenience, however, has been subject to well publicized successful remote penetration attempts with scary consequences. To quote an article in Wired Magazine:

"In a study spanning two years, Erven and his team found drug infusion pumps – for delivering morphine drips, chemotherapy and antibiotics – that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care."

Regulators have long recognized the potential exposure to IT-specific vulnerabilities in an medical device which includes such IT technologies, and have provided guidance on how to apply the existing risk assessment and risk management components of the regulatory frameworks to cybersecurity. This is all nice, however complying with the provisions of the regulatory frameworks themselves are not sufficient to ensure that the actual device, as part of an interconnected system, is immune to such attacks.

Additionally, most vendors have responded to some of these reports by implementing seemingly secure solutions based on off-the-shelf technologies, one of the most popular being the use of SSL to encrypt the communication between the device and a remote client or server. To the uninitiated, SSL seems to be a secure way to connect. All banks are using this, right? 

The devil is in the details, however. There are 6 flavors of SSL in use today (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2, with TLS 1.3 coming out soon). Only 2 of these flavors currently in use (TLS 1.1 and TLS 1.2) are currently not compromised; all the other ones can be penetrated today by using well publicized exploits. Moreover, some of the cyphers available for each of these are compromised as well. And if the device is based on the open source library OpenSSL 1.0+ (which most of them seem to be nowadays), it is vulnerable to an external penetration attack unless its heartbeat capability is disabled by a patch. Very few vendors, however, have the sophistication needed to recognize all these nuances -- and even if they do, the willingness to incur the cost of implementing a fully secure solution.

Moreover, with the possible exception of FIPS 140-2 applicable to procurement by the federal government, there are no certification standards applicable to medical devices to ensure that they are cybersecure -- like there are for electrical safety and electromagnetic compatibility testing (UL, CE), fluid ingress, shock and vibration, etc. It is up to the vendor to define what compliance with cybersecurity regulation means. In some extreme cases, that is only a statement based on a superficial risk analysis outcome that the risk of a cybersecurity attack on the device is believed to be negligible ("who would want to hack into our device and why?"), so no cybersecurity countermeasures are needed. In the best of cases, the use of SSL for encryption and the use of a [well known] default password are deemed sufficient (or is it?) So how can we know?

A good start would be to ask the vendor to fill out use-mode specific cybersecurity checklists as part of the procurement process of medical devices. This checklists would have to be detailed enough to include details such as encryption protocols and cyphers supported and / or blocked, list of open and blocked ports, multi-factor security (possibly using biometrics and / or X.509 certificates), password complexity / expiration / history enforcement, role-based security, security logs and alerts, intrusion detection and prevention mechanisms, digitally signed updates, anti-malware, vulnerability monitoring, containment and rapid response policies, statements of immunity to well known exploits like Heartbleed, BEAST. POODLE, etc.

What do you think?

What Does "Regulatory Compliance" Mean?

When you talk about "regulatory compliance" in the context of Medical Systems, in addition to the well-known aspects of GMP/GCP/GLP FDA and the equivalent EU / Canada / Japan / China / etc. compliance standards, one must consider other, broader aspects of compliance such as the ones related to contracts, payments, anti-kickback, foreign corrupt practices, sustainability, carbon emissions, ROHS, OSHA, etc.

Since the state of compliance is generally determined by an external third party (through a regulator or an authorized contractor audit), an activist regulatory affairs group would make a case for going all out and implementing any and all published guidance and best practice details in an attempt to "audit-proof" your quality system. Unfortunately, the cost of adopting such a "worst case scenario" strategy will be punitive to the bottom line, potentially impacting not just margins but also time to market and / or competitive feature sets.

A more minimalistic mindset (found most prevalently in startups and smaller companies) would lobby for implementing only what is absolutely necessary to pass a superficial, high level external audit -- and nothing more. Unfortunately this approach is akin to playing Russian roulette - just because you passed an external audit yesterday does not necessarily mean that you will pass another one tomorrow; it only means that you were lucky that the auditor did not probe in the areas of your weakness (yet).

So, how do you decide to what level of detail & intensity you should develop procedures and ensure "compliance" (as defined by the average external auditor probing at random) in each of these areas?

The key insight is that, to the regulator, adequacy of compliance is judged based on the perceived level of risk to society (the general population) a company and / or its marketed products might pose.

Based on this key insight, the right approach then would seem to be to establish and maintain a dynamic cost-optimized balance of the level of detail within each compliance related area based on the potential level of risk the company and its product(s) can pose in the market(s) where it competes, the regulation(s) which are applicable, and the state of compliance of its main competitors similar in size and which sell in the same or similar markets.

Are you doing this already? If so, how is it working for you?

Top 7 Due Diligence Pitfalls – How To Avoid?

So you are contemplating the acquisition of a small company with an exciting product and technology that seems to complement your own. The few early adopters seem relatively pleased, your marketing team is quite excited about the market potential, and the financial model (based on the proverbial “hockey stick” sales forecast) seems to work out. Your legal team gives you the green light as well.

Two weeks before the closing, you send your due diligence team on location. Based on the initial conversations with the target, you already have a very good feel about this. Looks and sounds like a done deal, right?

Well, studies show that more than 85% of such acquisitions fail to deliver against initial expectations, and most by a wide margin. A post-mortem analysis study on small company acquisitions by large corporations that ended in a significant (80% and greater) capital loss to the acquirer point to discounted issues already found in due diligence as the main drivers of the ultimate financial non-performance.

Let’s examine the 7 top reasons why, and how you could save millions just by avoiding these pitfalls.

1.       The underlying technology is a solution looking for a problem. Many “groundbreaking innovations” have failed spectacularly even if there were a few early adopters and technology enthusiasts. The “hockey stick” never materializes. Perhaps the product was developed as a custom solution for a few people and then packaged and sold to you as the “next revolution”?

2.       Ignoring manufacturability sourcing, quality, and yield issues. The “dream product” works well as a prototype and perhaps even in small batch manufacturing, yet you are planning to ramp up significantly and the design is not mature and robust enough for that. The risk is identified; however it is discounted as a “manageable issue”. Even when it’s clearly not.

3.       The product design is “almost done”. The product development team is ironing out a few last details, and the product will launch in a few short months. Be very circumspect in such situations. It is very likely that the remaining issues are not trivial, and they will not be “ironed out” without a significant additional investment, time, or both.  The stability and market acceptance of a product can only be proven within six months or more after launch. It is almost always best to wait until “almost done” becomes “verifiably done”.

4.       Ignoring quality systems and regulatory compliance scaling. The level of regulatory scrutiny correlates with the size of the company. The post-acquisition cost of bringing the state of compliance up to the acquirer’s standards is often misunderstood and minimized in due diligence, yet it becomes abundantly clear at the very next regulatory agency audit.  In some extreme cases, the cost of the resultant remedial action can negate the entire financial upside – and then some.

5.       Most of the key patents are either provisional or pending. The trap here is that there might be prior art and / or potential infringement issues in the space which might block your acquired product’s commercialization – or make it extremely expensive. There is usually not enough time to conduct a comprehensive claim analysis and prior art search in due diligence, so this is usually chalked up to the “risk bin” -- with no corresponding financial model impact as well. 

6.       Treating the earned-out agreement as a proxy for risk control. Yes, this will cover some of the risk as you will not incur some (or most of the) acquisition cost when sales do not materialize. However, this will not cover your opportunity costs and the additional personnel and operational resources you will have to provide for the post-acquisition integration and the subsequent manufacturing, marketing, and sales ramp-up.

7.       Treating technical and regulatory due diligence as confirmatory. Good engineers are an introverted bunch, with a great deal of respect for authority. If the task is to confirm a decision already made, they know that they will encounter a great deal of resistance from their boss if they come up with hard reasons to stop the deal. So they will list the showstopper issues as “potential risks” and side with the team in recommending a “conditional go”.  The “risks” are soon forgotten, until (most often than not) they end up materializing several years later at a great cost to you to either continue with the venture or to divest and write it off.

To get assistance in identifying and quantifying these “hidden” areas of risk in due diligence, based on your specific timing and situation, please visit www.priusmedical.com for more information.

FDA audit next week – how to prepare? Five easy steps

You are a medical device manufacturer or service provider and you have just received a FDA Form 482 (Notice of Inspection) stating an inspection start date a week from today. What can you do to improve your odds of success?

Step 1. Determine the type of audit – pre-announced inspections (like this one) can be of two main types:

1.       Routine Audits – these are audits conducted at random (periodically) to sample your state of compliance; most firms should expect a routine audit once every 2-6 years, depending upon its size and its potential impact on the public’s health & safety

2.       For-Cause Audits – these are audits triggered by significant adverse events in the market: product recall(s), MDR(s), customer complaints to the FDA, etc. If this was the case, you would expect this audit since these events almost always trigger for-cause audits.

Step 2. Most auditors will request a copy of your firm’s Quality Policy and high level Procedures (including Management Review), Quality Manual, Quality Plan, or equivalent to better prepare for the audit. You are not required by law to provide the information prior to the audit, however:

- If your high level quality documents are solid, in the spirit of cooperation (and to start the audit off the right foot) you might consider sending them to the auditor as requested.

- If you suspect that there might be gaps in your top level quality documents, assert your right to not send the information ahead of the audit as you do not have to provide a reason. The downside is that you might raise suspicion and possibly even antagonize the auditor, so weigh this option carefully.

Step 3. The FDA’s Guide to Inspections of Quality Systems – Quality System Inspection Technique (QSIT) identifies the following 4 major areas of focus in an inspection:

1.       Management Control

2.       CAPA (includes MDR, Corrections & Removals, and Medical Device Tracking)

3.       Design Controls

4.       Production & Process Controls (includes Sterilization Process Controls)

Other areas of interest might include Facility & Equipment Control, Material Control, and Records / Documents / Change Control.

Conduct a thorough review of your Quality System (best with the help of an impartial external consultant) in all the areas listed above (as applicable to your business) and list all potential gaps at every level of your Quality System: Policy, Procedures, Work Instructions, Records.

As you will spend most of your time with records, prioritize -- the auditor is most likely to request samples related to the audit trigger (recalls / MDR / complaints to the FDA) in a for-cause audit, and the latest released products or services in a routine audit.  They will also follow up on previous findings and promises to correct that you have made in previous responses to 483(s) and warning letters, so be prepared to have a solid story on those as well.

The method that works best to conduct this gap analysis is to use a visual mapping approach that matches the top-down and the bottom-up QSIT methodology that the auditor will use. Get all the interested parties in a conference room and map your Quality System elements hierarchically (top-down) on a whiteboard. Discuss and the procedural gaps will become evident.

For the “bottom-up” component, in a for-cause audit start with the “problem children” low level records that relate to the recall, MDR, or customer complaint which most likely will have triggered the audit and work your way up and across through your other components of your Quality System – was this complaint analyzed, was its root cause found, did it trigger a CAPA, do you have a CAPA plan, where is the CAPA now, did it trigger a correction or a removal, if so did you perform a Health Hazard assessment, did you send out a customer letter, did you inform the FDA if and when required, etc. 

If this is a routine audit, follow the same steps above, starting with the most potentially impactful complaints, recalls, field defects, etc. related to the most likely targeted (newest on the market or linked to previous 483s or warning letters) products or services.

Make a list of gaps, prioritize based on severity and risk, assign a person responsible, and then have the team decide on a disposition: fix prior to the audit, put a plan in place (to be shared with the auditor only if the gap is found during the audit), or document the rationale for postponement (acceptable rationales are based on low impact probability and / or low risk to the public health)

Step 4. Rehearse the audit. This is best done with an external (impartial) consultant playing the role of the FDA auditor, and steering the lines of questioning across the most likely paths based on the type of the audit and the information that is believed to be known by the FDA externally. These lines should include a good mix of top-down and bottom-up threads, especially around the most important potential vulnerabilities as highlighted by the gap analysis.

As per the best practices for an FDA audit, set up a “front room” (where your regulatory affairs representative(s) will interface with the auditor and present copies of the requested documents) and a “back room” (where you would have your technical experts discuss the auditor’s questions and requests for document, and provide the appropriate information to your “front room” team).

Your “front room” team should include people with experience in interacting with regulatory agencies, skilled both from a legal standpoint and from a human interaction standpoint. They should be trained in answering the auditor’s questions promptly and sincerely, limiting the information provided to just the response to the direct question, never contradicting themselves or each other, and having a likeable personality to maintain a pleasant working atmosphere with the auditor at all times.

Step 5. Iterate and improve. Have the mock auditor take copious notes during each rehearsal. Examine and discuss the image presented to the auditor. Are you able to respond quickly and in a satisfactory manner? Are your answers and the information provided relevant and complete? Are you controlling the information flow to just the items related to the auditor’s requests? Unbeknownst to you, are you leading the auditor in other areas not related to his or her line of questioning? Are you courteous and polite? Would he or she have reasons to suspect insincerity or cover-ups? Repeat until you are happy with the results or until the audit starts (whichever occurs first). Unfortunately there is a hard deadline on this one.

Remember, you can’t fix all the gaps in the short time until the audit. Outside of the things you promised the FDA that you will do (and which you will still be held responsible for), if you know what the other gaps are and if you can show the FDA that you have reasonable remedial plans in place, then you should do reasonably well in the audit.

Each situation and each company is, of course, different. To address your specific situation, please visit ww.priusmedical.com for further details.

How to verify CAPA QSR compliance - 5 key elements

CAPA-related QSR requirements are quite far reaching. If you are coming from a manufacturing background, CAPA is conceptually similar with Six Sigma’s DMAIC methodology (Define / Measure / Analyze / Improve / Control) with a few key differences.

Under Six Sigma or Lean, the ultimate goal is usually a desired improvement in capability, cost position, or operational effectiveness. Under 21 CFR Part 820 (QSR), the goal of CAPA is to ensure early identification, removal, and preemption of systematic process non-conformances potentially affecting safety and / or effectiveness of clinical therapy, monitoring, or diagnosis. In other words, Six Sigma drives operational profitability (immediate shareholder focus) while CAPA drives safety and clinical effectiveness (immediate regulatory focus) -- arguably still a path towards profitability, although not necessarily in and of itself.

Back to the question - to be compliant with the QSR, your CAPA system must have adequate procedural and operational coverage for the following five key elements:

1. Comprehensive “data feeders” covering your company’s entire set of “touch points” with the external environment (or their proxies): complaint logs, MDR investigations, service, manufacturing, industry publications, internal or external audits, previous CAPAs, engineering reviews, supplier audits, incoming inspection of parts and materials, customer call rates, Top X rates, etc. with specific triggers (or “normal limits”) defined for each feeder.

2. Feeder status reviews (monthly?) to identify deviating trends early. Data mining and cross-correlation analysis are useful tools that should be considered. Once a trend indicating a possible non-conformity is identified, what is the risk to safety and / or clinical effectiveness? Based on the identified trend and specific risk, should a CAPA be raised? Should a recall be initiated? Should a customer letter be triggered?

3. Formal CAPA planning process with the following activities:

a. CAPA definition, symptoms, risk assessment, impact assessment

b. Formal Root Cause Analysis. FMEA, FMECA, FTA, etc. are all useful tools to be considered.

c. Corrective Action to eliminate the non-conformance. Might be procedural, training, labeling, design-based, process change, etc. Might include verification and validation activities as appropriate.

d. Preventative Action to prevent this and similar non-conformities from occurring in the future.

e. CAPA Effectiveness study to evaluate the effectiveness of the removal of root cause and of the prevention of this and similar non-conformities from reoccurring.

4. CAPA management and aging review at the most senior level possible, to ensure visibility, resource availability, and prioritization for a risk-adjusted timely resolution of all active CAPAs

5. Formal CAPA documentation process to capture and document all CAPA-related activities executed, inclusive of management reviews

Each situation and each company is, of course, different. To address your specific situation, please visit ww.priusmedical.com for further details.

My program is late – yet again. What to do?

There are always good reasons. The engineering estimate was overly optimistic. The requirements were not well defined. Your key piece of technology needs a little more “tweaking”. The contractor you hired works too slow and their output needs too much rework. And so on.

Your program manager seems to be an intelligent, personable, and articulate person. He is PMI PMBOK-certified and has great credentials. Yet the surprises keep coming -- this is the third 6-month delay he announced since the start of the program a year ago. Now there is talk from marketing to cut back on scope so you can launch something before the trade show this fall, even if it would be much less than the competition has on the market already.

If you were to believe the new estimates, then your program’s financial model would barely still make sense. And if the surprises were to continue, then your CFO would have a fit since you would either lose money if you would choose to go on, or you would take an immediate hit on the P/L if you were to cancel the program and reverse the capitalization of R&D expenses to date.

At this point, most executives would be tempted to make a “go / no go” decision based on their intuition. And it is possible that they would make the right decision. You could, however, take a more quantitative approach and decide based on facts and numbers, not just “gut feel”. For example, here is how our OnTrack (SM) program appraisal methodology works:

1.       Determine the root cause(s) for the delays

a.       How were the requirements captured? Was the technical approach selected before the requirements were captured?

b.      How were the estimates determined? Top-down or bottom-up? By edict or by consensus? Were they benchmarked against other similar programs as a sanity check?

c.       Do all the team members buy into the published estimates? Why or why not?

d.      How were the risks captured? Was the impact and probability of each element of risk captured into the project plan?

e.      How predictable is your product development process?

f.        How capable are your engineers relative to the technical approach chosen? Your contractors?

2.       Review and clarify your program’s scope. Tie it to the business value expected from commercialization (new sales or defending market share). Re-prioritize.

3.       Review and refine your detailed requirements. Engage your system architects, integrators, and key suppliers.  Fill in the gaps where needed.

4.       Review your technical approach with your system architects and integrators.

5.       Assess your extended team’s capability level – employees and contractors included. Use a defined, quantitative framework (like the SEI CMMI) as a basis for your assessment.

6.       Re-examine your project risks. Do you have any key pieces of technology, uniquely skilled employees and contractors, key suppliers or regulators that can preempt or delay your program? If so, define and quantify (impact, branch, and probability).

7.       Rework your schedule by taking possible resource bottlenecks into account. A good formal methodology to follow is the Critical Chain Project Management (CCPM) model based on the Theory of Constraints (ToC).

8.       Determine your desired and alternate scenarios and the associated probability trees

9.       Review your program’s WBS and task lists for completeness and alignment with the technical approach chosen. Break down tasks to a resolution of between 8 and 80 man-hours per task.

10.   Re-evaluate your individual task estimates. Engage the people who will have to actually execute. Capture each estimate at 2 levels of probability (50% and 80% are the most common)

11.   Apply the capability correction factors determined at step 5 to the estimates determined at step 10 and to the probability trees determined at step 8

12.   Assemble a statistical predictive model including all the elements determined above. The output of this predictive model will be outcome probability curves for delivery dates and program cost.

Using these statistical predictive curves, you can now answer the following questions:

-          What is the probability that my program will be finished by November 21^st, 2011?

-          With a 90% confidence level, what will this program cost us?

-          With a 85% confidence level, on what date will this program be delivered?

These quantitative answers can now drive your financial model, and you and your team will have the visibility to determine whether continuing to invest in the program makes sense, or stopping the program at this point would bring more value to the firm.

Each program is different, and they all have their own sources of uncertainty. By using our OnTrack(SM) program appraisal methodology, we have saved mid-tier companies tens of millions of dollars in unnecessary spending. If you would like urgent assistance with your specific program, please visit www.priusmedical.com for details.

How to best respond to an FDA 483 letter?

Let’s face it, receiving a Form 483 letter (Notice of Inspectional Observations) from the FDA has never been much fun. And since the September 2009 change to the statutory response time (now 15 days) there isn’t that much time to react. What to do?

1.       Don’t panic. I know, I know – these words usually have the opposite effect. Beyond the cliché, however, you will find that keeping a detached attitude and cool head, even if the response deadline is so short, will help you in the long run. The 483 letter wording will cite specific observations and then generalize non-compliance back to the high level provisions of the Code of Federal Regulations (21 CFR Part 820, Part 11, etc.) Even though this might imply that your firm is completely out of control in those areas, in reality it just puts the onus on you to argue to the FDA’s satisfaction that the letter’s implied inference was incorrect as the inconsistencies (if accurate) will be removed in a timely fashion. And that is the purpose of the response letter. 

2.       Immediately appoint a “Response Manager” (RM) and assemble a response team. Your response team should include representatives from all the functional areas cited (manufacturing, operations, engineering, etc.), quality / regulatory leadership staff, external consultants, etc.

3.       Your RM should prepare a tracking spreadsheet with the following content:

a.       The observation as worded in the 483 letter

b.      Name of responsible individual

c.       Due date for response draft

d.      Summary of the internal investigation

e.      Root cause (if applicable) related to each of the specific observation(s)

f.        Plan to eliminate root cause (action items, people responsible, due dates)

g.       Systemic issue (if applicable) related to the result of the internal investigation

h.      Plan to implement systemic change to prevent similar non-conformances in the future

i.         Plan to verify the effectiveness of the correction and of the systemic change

j.        The response as worded in the response letter

4.       Some 483 observations might be related to FDA recommendations and might not cite violations. You might want to consider improvement plans in those areas, or explain why not based on a documented risk assessment (or other viable considerations).

5.       For observations which you believe were based on incomplete or inaccurate evidence, it is best to prevent such observations during the audit if at all possible (how to prevent inaccurate 483 observations during an audit is the topic for another discussion). Failing that, however (and if you still believe that the observation is inaccurate), you can try to argue your point in the response letter, but only if you can produce new factual evidence that supports your claim. You should include copies of the factual evidence as attachments to your response.

6.       Your correction and improvement plans will be much more believable to the FDA if you retain the assistance of qualified external consultants to plan, manage, and / or execute the action items contained therein. After all, if your employees had the requisite knowledge and expertise already, why did your firm exhibit the non-conformance(s) in the first place?

7.       Your RM should start assembling a Proof Book to show the FDA when they return, with the following entries:

a.       A copy of the original 483 letter

b.      A copy of your response and any subsequent correspondence with the FDA

c.       Proof of remedial activity (plans, dates, status reports, protocols, decisions, training records, proof of task completion, internal audit reports, proof of effectiveness, etc.)

d.      Traceability of findings to responses, plans, CAPAs, recalls, customer letters, etc.

8.       Your quality system might require that a CAPA and / or a complaint be raised for each 483 observation, or just for the ones with a higher level of risk. Make sure to follow all your internal procedures as well.

9.       Your action plans should be believable, achievable for your level of corporate resources, and timely. Have your Legal department (or your external legal counsel) review your response letter before you send it in. Your response letter is a legal document and you will be held to it when the FDA returns.

10.   Send your response to arrive no later than 1 day before the deadline via a traceable delivery system with proof of delivery. USPS Express Mail overnight usually works best, FedEx overnight a close second.

Each regulated area is different, and not all consultants and consulting companies are equally qualified in all areas of compliance (even if you or someone you know did business with them in the past). If you would like urgent external assistance and you are not sure who to call, we can help you quickly locate the best consultant or consulting firm for your very specific situation.  Please visit www.priusmedical.com for details.