Three years ago, I was visiting my primary care physician for an annual exam. My Dr, not fresh out of medical school and had been my family physician for a number of years. Dr. L did not like computers. He was writing on my cart in pencil (yes a for real paper chart!). When I noticed that the pencil was worn down so far that it would only write from one angle and even so was more like a crayon. I looked at him and said, “you might want to sharpen that pencil.” He replied, “I can’t, this is a medical device.” Being the highly technical Imaging person that I am I said, “forgive me Dr, but that is not a medical device, it is just a pencil.” Slightly exasperated he took off his glasses and looked at me, replying “This is your chart, a medical record. Obviously, you can see I am making notes and documenting your diagnosis. You can’t do that with just any writing device, that would be illegal! I might be audited, you can only make a diagnosis with a medical device!” Not taking the hint I said, “well at least sharpen it, you can barely write with that.” Now clearly ticked off Dr. L replied, “were you not listening?! This pencil is a medical device, if I were to sharpen it, I would have to have a licensed carpenter come in, charging me $400 an hour to sharpen it! You can’t go messing with a medial device unless you have FDA clearance!”
Sooooooo, maybe there is a hint of sarcasm in my story, but let’s talk about what a medical device is and what the FDA really says. I was at one time a vendor, and while I was I said many of the same things about my system. Medical device… can’t patch… blah blah, FDA certification…. I truly believed everything I said. I had been told that by my company, and I had never read any FDA filings (at the time) so I was retelling what was for me the truth. Like my former self, many vendors have never read nor do they understand FDA process..
The FDA defines a Medical Device as “”…an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.” (Syring, 2018)
From that definition we could assume that yes, a pencil is indeed a medical device, or could we? Did the pencil do anything? Did it assist in the diagnosis? Not really, it assisted in recording it. Similarly, we have to look at the distinction between things that are used in the diagnosis vs what is supporting. Is a CT or Ultrasound a medical device? Yes, no question. What about PACS? The software is considered a medical device, but the hardware it is running on likely is not. Let’s examine a real 510(k) letter for a PACS. By the way if you want to look up the certification for your vendor, which I strongly encourage you can do so on the FDA website.
Back to Vendor X…… “PACS X is medical image and information management software that is intended to receive, transmit, store, archive, retrieve, manage, display, print and process digital medical images, digital medical video and associated patient and medical information. PACS X includes a suite of standalone, web-enabled software components, and is intended for installation and use with off-the-shelf hardware that meets or exceeds minimum specifications.” (emphasis added)
What this means is that the software is a medical device, and when the SOFTWARE is patched it must be tested in accordance with General Principles of Software Validation linked here (Food and Drug Administration (FDA), 2001). The hardware that it runs on however, does not. You can run PACS X on any hardware that meets or exceeds specs and it has no impact on the FDA certification whatsoever! A vendor is well within their rights to provide an approved hardware list, but this is a support issue and not a FDA issue. This distinction is very important!
Because the computer and operating system that run PACS software are not part of the 510(k) certification there is no requirement for the FDA to review security patches.
“Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.” (Food and Drug Administration, 2018)
There is a one page fact sheet that is very clearly written and I also encourage you to read here.
In summary, your PACS software IS a medical device, however what it RUNS on likely is not. Especially given security concerns it behooves us all to read the FDA guidance and hold our vendors accountable to make sure that our devices are patched and up to date. No one wants to report to the CEO or CIO that their system was responsible for a virus or ransomware attack on the enterprise. Also surprising to me was that for all the secrecy and mystery surrounding medical devices and subsequent maintenance, the FDA website is surprisingly clear and easy to understand.
Thank you for reading, please post comments and questions !
Food and Drug Administration (FDA). (2001, 02 25). Information for Healthcare Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software”. Retrieved from Food and Drug Administration Website: https://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm070634.htm
Food and Drug Administration. (2018, 02 02). Information for Healthcare Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software”. Retrieved from Food and Drug Administration: https://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm070634.htm
Food and Drug Administration. (2018, 02 07). THE FDA’S ROLE IN MEDICAL DEVICE CYBERSECURITY. Retrieved from Food and Drug Administration: https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM544684.pdf
Syring, G. (2018, 02 25). Overview: FDA Regulation of Medical Devices. Retrieved from Quality and Regulatory Assoicats: http://www.qrasupport.com/FDA_MED_DEVICE.html