Ongoing EU leadership in Regulations
The European Commission’s latest In Vitro Diagnostic Regulation (IVDR 2017/746) addresses several weaknesses of the earlier version In-Vitro Medical Devices Directive (IVDD) and brings significant regulatory changes for manufacturers of In Vitro Diagnostics (IVD) devices to legally qualify to sell in the European Union.
The new IVDR greatly expands the scope of compliance besides increasing the number of IVD devices subject to rigorous oversight. It aims to address concerns such as patient safety and transparency and as a result includes greater expectations for clinical evidence and scrutiny of manufacturers’ data for greater transparency. The new IVDR was scheduled to come into force from May 2022, however the Covid-19 pandemic situation has forced the EU to push the deadline, likely to May 2023.
An IVD medical device encompasses a wide range of laboratory developed tests, point-of-care devices, instruments, reagents, and kits used to analyze human samples and guide clinical decision making. The new IVDR provides increased traceability throughout the supply chain, with the introduction of Unique Device Identification (UDI) system, risk-based rules classification scheme and new standards for clinical evidence. It also provides post-market vigilance reporting and surveillance requirements. Thus, the Regulation aims to balance proportionate responsible regulation while addressing an increasingly technological approach to healthcare, including in such areas as software and algorithms as part of IVD instruments and SaMD (Software as a Medical Device).
Interestingly the new IVDR has no grandfathering provisions. This means that if a manufacturer has been selling IVD devices in the EU for several years now they would have been conforming already to the earlier original IVDD, however that does not waive off compliance obligation to the new IVDR in order to continue selling legally in the EU!
Risk-based Classification of IVDs
IVDR introduces seven risk based classification rules which have resulted in four risk groups in IVDs, which determines device’s conformity assessment route and product-specific technical specification requirement.
- Low-risk (Classes A & B ) : Products used for general laboratory use, instruments specified for IVD procedures and/or specimen receptacles are defined as Class A. Devices which are controls, that have no quantitative or qualitative assigned values, self-testing devices(non-critical conditions) are classified as Class B.
- Moderate-risk (Class C): Devices intended to be used in STD Detection, detection of infectious agents, screening in CSF or blood, cancer detection, genetic testing and or pre-natal women screening for immune status to infectious agents.
- High-risk (Class D): Devices involved in the detection of transmissible agents of a life-threatening disease where it is critical for patient management or high risk of propagation.
Devices under class C & D have a more regular Surveillance Assessment on top of technical documentation, like Performance Evaluation Report (PER), Periodic Safety Update Report (PSUR) and Summary of Safety and Performance (SSP), that are expected to be updated at least annually, and updates are to be gathered using the Post-Market Surveillance (PMS) plan.
Covid-19 IVD tests
The novel coronavirus that broke out in China at the end of 2019 and spread to almost every country has dominated all spheres of public life the world over as well as the grabbing the headlines ever since. The question before public health authorities now is how people infected with the virus could be diagnosed and treated quickly. In order to be able to effectively contain the spread of the disease, a quick and reliable diagnostic test is required. False negatives are dangerous as it aids further spread of the coronavirus. Whereas, false positives lead to unnecessary and drastic measures, such as the isolation of the supposedly infected patients. Hence both ends of error are unacceptable.
2019-nCoV is clearly a pathogen with a “high or suspected high risk of propagation”. In addition, the number of deaths shows clearly that the pathogen can be characterized as causing a life-threatening lung disease, and worse in a surprising recent trend an increasingly high mortality due to cardiovascular complications. Both conditions of this rule (life-threatening and high risk of propagation) are fulfilled, therefore, IVD devices used for coronavirus test falls into the highest risk class: class D!
Risk Management for Security and Safety
Risk Management is process of identifying and measuring risks towards safety and effectiveness resulting from the intended use and foreseeable misuse of a medical device and reducing them “as far as possible” to an acceptable level. The risk management process has elements such as security risk analysis, security risk evaluation, security risk control, evaluation of residual security risk and reporting which are documented in a risk management plan.
If a security risk or control measure could have a possible impact on safety and effectiveness, then it should be included in the safety risk assessment. Similarly, any safety risk control or consideration that might have an impact on security should be included in the security risk analysis. Manufacturers should consider risk controls that maximize device cybersecurity while not unduly affecting other safety controls. As a company portfolio changes, through development or acquisition, it should be reviewed to ensure that any adaptations based on the risk of new products are considered.
IVD Software & Algorithms
IVD software is used with or in many devices – in laboratory based or point of care analyzers, in hand-held personal IVDs, as standalone software, as software upgrades to existing systems. Software as part of an IVD instrument, Software as Medical Device (SaMD) and software applications are included in the definition of IVD and fall under the scope of IVDR. This includes companion diagnostics applications as well as stand-alone software. A manufacturer must have a technical file that demonstrates the conformity of their standalone software with the respective provisions of the applicable IVDR clauses.
Due to the ‘black box’ nature of computer algorithms, viewed in terms of inputs and outputs without a full understanding of the internal working, it is suggested to regulate the use of such algorithms in some IVD areas, including genetics & genomic testing.
Cybersecurity and IVDR
Recent technical advances have resulted in radical transformations in health care delivery, which have the capability to improve patient care. However it has also exposed IVD devices vulnerable to security breaches. The new IVDR enhances the focus of legislators on ensuring that devices placed on the EU market are fit for the new technological challenges linked to cybersecurity risks.
Cybersecurity protection is not just a technical issue; it is a richer and more intricate problem to solve. It requires manufacturers to develop and manufacture their products in accordance with the state-of-the-art, considering the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorized access. In order to have a strong handle on IT security issues that may potentially impact business, it is imperative to understand the relationship between three central components: threat, vulnerability, and risk.
- Threat is what an organization is defending itself against, which includes the probability of an attack as well as the severity of impact in the case of an attack e.g. a DoS attack.
- Vulnerabilities are the flaws or weaknesses that undermine an organization’s IT security efforts, e.g. an unpatched Web server application flaw that lets hackers into the system.
- Risk refers to the calculated assessment of potential threats to an organization’s security and vulnerabilities within its network and information systems.
Cyber criminals and hackers are continuing to seize opportunities to take advantage of vulnerable networks amidst the Covid-19 pandemic. According to C5 alliance, cyber-attacks have increased by 150% in healthcare sectors as of mid-2020. There is 26% chance that 14% of patient monitoring tools will get attacked, according to research conducted by Atlas VPN. This research also reported that 27% of medical devices are still running on Windows XP or decommissioned versions of Linux, exposing these devices to increased cyber threats.
Cyber-attack schemes include hacking IVD devices either to control or to be used as a backdoor into a hospital’s IT network. This can result in potential harm to patients or financial loss for providers, posing major challenges for medical device manufacturers. Cybersecurity risk may also pose a safety risk. For example, an attacker modifying patient data in transit from a pulmonary artery pressure sensor device, causing misdiagnosis based on altered blood pressure readings, leading to worsening of the patient’s heart failure condition, is an example of a cyber security risk that has a catastrophic safety impact. Similarly an attacker gaining access to the network and manipulating a ventilator’s alarm messages sent to the central monitoring system, may delay, or block the emergency measures not being taken in time which is an incident with severe safety impact.
However all cybersecurity risks may not have a safety impact. For example, an attacker eavesdropping on the network communication between a local patient monitor and central monitoring station, thereby gaining possession of sensitive health information of the patient is a cyber security risk that has no safety impact. While a network spread malware (worm) that encrypts contents of the hard drive causing device unavailability is a cyber security risk with indirect safety impact in that the affected systems are rendered unavailable for diagnosis of patients.
It is important to understand potential cyber threats and how to implement proper measures to ensure the safety of patients and trial data. Learning how to better design and include security in devices and systems at the beginning of development will protect users, as it is more difficult to add security features after creation. To run a software as intended it requires IT security, Information security & Operation security. To be effective, cybersecurity measures need to be addressed throughout the lifecycle of IVD software products. The appropriate level of cybersecurity activities on a software project is driven by several factors:
- Value of the assets contained within the systems, e.g., systems containing personal information need to be well protected
- Criticality of the systems, e.g., systems which are expected to have high levels of availability must be secured against denial of service attacks
- Systems that are available on the public internet, e.g. Cloud software, must have high levels of verification that they are secure against known vulnerabilities.
Cybersecurity challenges for IVDR compliance
Multiple factors contribute to the cybersecurity challenges being faced by manufacturers. Starting with being standalone devices, IVD devices have evolved into integrated equipment, connected to networks, with a large component of software that creates new problems of security and privacy protection. Vulnerabilities already existed in medical devices only they now became exposed to a larger threat landscape through the network connections including wireless that has amplified the security risk. Software used in medical devices and/or Software as Medical Device (SaMD) might be vulnerable to cyber-attacks which should be handled and avoided with proper security measures. Many a time, large complex medical software was originally designed without cybersecurity in mind, it was written to be functional and performant and cybersecurity came as an after-thought.
Consequently, health care became a prime target for cyberattack with a recent SANS Institute report reporting that 94% of health care organizations have been the victim of cyberattacks, including on medical devices and related infrastructure. Many common threats continue to be problematic in health care, including Cyber criminals using malware and ransomware to shut down individual devices, servers, or even entire networks. An increasing amount of protected health information is being stored on the cloud so without proper encryption, this could be a weak spot for the security of health care organizations.
Clever cyber criminals have created websites with addresses that are similar to reputable sites. Phishing attack strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from users. While encryption is critical for protecting health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches. Employees either through error or misuse (internal threat) could leave health care organizations susceptible to attack through weak passwords, unencrypted devices, steal property or data or commit other crimes. Wearable and implantable IoT healthcare devices, from insulin pumps to monitors to pacemakers, can be vulnerable to attack. Many IoT devices are not capable of supporting an endpoint security agent, which means they do not have the ability to block a signature of malicious behaviors or an attack.Unprotected mobile devices or loss of such devices holding sensitive medical data is yet another source of exploits.
IVD Cybersecurity best practices
Countering cyber-attacks starts by including security and safety measures from the beginning of the device’s or application’s development and creating a cybersecurity strategy. The first step is to develop a risk-based cybersecurity plan that addresses overall vulnerability issues about safety, security, privacy, automation, software, and design.
Second, medical device manufacturers should make provisions to ensure that device design is simple and easy to update and adheres to regulatory guidelines. Also, manufacturers should plan vulnerability management processes, ensuring that fixes can be rapidly developed and deployed. At the same time, processes, and protocols to handle security breaches will need to be defined.
Evidence based compliance and conformity for IVDR
The IVDR mandates that manufacturers must keep technical documentation up to date for these devices as such as they allow the conformity of the devices with the requirements of the Regulation to be assessed. It should contain full disclosure of Design, Production and Quality Testing details.
This information can range from the very basic—such as what the device is—to more complex information such as variety and design and manufacturing details. The IVDR also requires the EU Declaration of Conformity and copies of other relevant certificates to be submitted to the competent authorities for at least 10 years after the device has been placed in the market.
IVDR obligations for manufacturers are to demonstrate the following in the device documentation:
- Analytical performance
- Clinical performance
- Scientific Validity
The IVDR also specifies a Post-Market Performance Follow-Up plan requirement, which includes how it should be defined within a QMS.
To achieve CE Marking most of the manufacturers of Class B, C & D devices will be required to provide the above-mentioned information to their notified body for review. Class A manufacturers must register with a notified body and document the information listed above; however, it will not be reviewed prior to EU market entry.
Note: If the IVD manufacturer utilize the services of sub-contractors for design, development or production, this information must be represented in all documents, including the QMS status.
The Covid-19 triggered extension of the new IVDR’s deadline gives a breathing space to IVD manufacturers for achieving compliance. However in order to continue selling legally in the EU, they will still need to scramble. They would probably need to utilize the services of IVDR Regulatory and Cybersecurity consultants to conduct formal threat modeling, cybersecurity risk analysis and vulnerability analysis to generate the security requirements and perform formal reviews and penetration testing as part of verification and validation. They would probably also need to work with implementation partners who have the experience of fixing vulnerabilities in IVD software and algorithms, be it secure configuration of operating systems, web servers, database servers, or secure application redesign. Meanwhile how the delay would affect the accuracy of Covid-19 tests and what impact it would have on public health especially in already Covid-19 ravaged nations like Italy, Spain, France and UK (although technically out of the EU post Brexit) will be known only in the coming few years.
About the Author – Krithika is a Senior software Engineer at Sequoia Applied Technologies. She is a software professional with domain knowledge on Telecom and Life sciences and very passionate about technology.