Tag Archives: medical devices

Understanding the Unique Requirements for Medical Computers in a Hospital Setting

Hospitals gather a large population of infected individuals in one place, so it’s difficult to keep nosocomial infections from happening. That requires different standards for hospital operation and use of equipment. One of the largest reasons for hospital beds and rooms filling up is the invisible agent—microbes and bacteria that pass on unwanted viruses and pathogens that can quickly affect a small population. Since medical computers and devices operate with patient care in mind, careful consideration of a device’s build, materials, controlling software, and other factors must pass FDA regulations and meet necessary standards. Plus, medical care is not just a “part time” task. Hospitals operate on a round-the-clock schedule—a health-related disaster can strike at a moment’s notice, especially within an intensive care unit. These specific reasons why medical computers and devices are unique to the hospital environment are examined in detail here.

Medical Computers Need Antimicrobial Housings

Medical grade computers are built with either an antimicrobial coating sprayed onto the device post production or include an antimicrobial resin mixed into the plastic housing during manufacturing. But what exactly does that mean? Antimicrobial is an umbrella term that describes a range of abilities that disinfect and ward off growth of microorganisms, often times originating from bacterial, fungal, viral, or parasitical natures. The benefit of these medical computer builds is that even with passing microbes from surface to surface, the plastic housing of these medical computers discourages microbe growth. After multiple uses from several medical professionals, a computer built with antimicrobial plastics can still help prevent the spread of germs without constant disinfection. Recent news reports detail there was a bacterial outbreak at a nationally renowned hospital that infected ten patients, thankfully none of which were fatal. The patients were infants. An online report that detailed research into an Army ICU revealed MRSA bacteria living on keyboards, a problem that could have been alleviated with antimicrobial materials. It’s clear to see why medical computers require antimicrobial housing.

Medical Grade Computers Need to Meet Standards

One might ask what kind of regulations hardware and software might need for a hospital. A lot of consumer off-the-shelf products, both hardware and software, aren’t safe for patient and medical use. Consider what the implications could be using buggy software on a medical device! For that reason there are several rules, regulations, and standards for medical devices, some set by the International Electrotechnical Commission. One of the most accepted standards is the 60601-1 electrical and radiation standard, addressing verification, design methodology, risk / safety assessment for patients and staff, and other factors. It’s not possible to determine the total number of test cases for final revisions of hardware, which is why this standard is in place. Every revision this standard goes through brings significant changes to how medical grade computers and other devices must be built, often times focusing on the medical device’s operational distance to the patient. There are three distance classifications for the standard: B, BF, and CF. Type B operates near the patient, BF makes contact with the patient, and CF makes contact with a patient’s heart. Any medical device, whether in close vicinity or making contact with the patient, must meet the standards for safety. The FDA ensures medical grade computers and devices pass these standards for the safety of patients and the professionals that use them under the 510(k) regulation, requiring that manufacturers demonstrate their product is safe. There are a number of manufacturers that claim to have medical grade products, but haven’t actually been independently tested. Be sure to do your homework before any major hardware deployment.

Hospitals Need to Operate 24/7

Hospitals need to operate on a 24/7 timeline. Fortunately, the medical grade computers in question can operate with those time demands. It’s not just a matter of having a computer that’s always on—it’s a question of the computer’s internal components and if they’re intended to be on 24/7. For instance, many medical computers have an emergency back-up battery installed in order to remain functional during a power outage. Imagine if the power went out, all medical computers shut down, and all that patient data was lost! Even though most hospitals are equipped with backup generators, the seconds between a power outage and the generators coming online could result in massive data loss. Medical computers with hot swappable batteries eliminate the need to be reliant on an AC power source completely. These computers are powered by removable batteries and can provide up to 16 hours of run time before you need to exchange the batteries.

Medical grade computers cannot operate in the same manner that consumer-grade computers do; the implications of losing data, hardware malfunction, overheating, spread of germs, and other factors are far too great to sacrifice for patients. Plus, computers with moving parts are more likely to malfunction, especially under 24/7 operation.

One Must Consider the Application as Well

Even within a hospital, different departments have different needs. Operating rooms, labs, and ICU units are often sterile environments. In these environments,  a fanless medical computer would be required. To achieve fanless operation without overheating, these computers need to be built with specialized components that commercial grade manufacturers aren’t willing to invest in. The fanless operation prevents to spread of dust and germs through the air, which could be a major contamination concern in these high specialized areas.

In a perfect world, we’d be able to stop all nosocomial infections. For the world we live in, it’s important to use the right tools for hospital use to avoid spreading infection, keep patients safe, and operate at a moment’s notice without a high risk of failure. The published studies show that these are factors required by all hospitals to operate in the best manner possible.

medical grade PCs

Extending the Life of Medical Equipment with Medical Grade PCs

The IT challenges and needs for a healthcare facility are far different than those of a traditional enterprise. Mobility, EMR compatibility, 24/7 operability as well as the need to mitigate the transfer of germs and disease must all be factored in. But even within the healthcare space, needs can vary tremendously. Consider the differences between a hospital in a large metropolitan area vs. a hospital in a rural area. In a lot of rural areas, medical facilities don’t have the luxury of large budgets or the ability to upgrade medical equipment as regularly as a larger hospital in a more densely populated area might have. Extending the life of that machinery in a cost efficient manner is vital for these types of facilities in order to provide the very best in patient care without breaking the bank.

A customer of ours recently reached out to us to let us know how they have managed to extend the life of their mobile x-ray units by integrating a medical grade computer. Their solution turned out to be a stroke of genius, and allowed their facility to move from the analog age into the digital age.

Mobility Matters in Medical Grade Computing

Our customer employed mobile x-ray units in rural areas that needed medical grade computers for control. Consumer-grade computers wouldn’t have fit the bill—carrying around a heavily-wired computer and monitor would have been insufficient and cumbersome for medical staff, so they used medical-grade PCs with hot swappable battery functionality.  With a full 16 hours of uptime running on batteries, the staff didn’t need to connect to AC power while using their mobile x-ray medical devices with the medical grade computers. Plus, there’s no downtime with computers featuring hot swappable battery technology ensuring constant healthcare. Internet connectivity is also a concern. In rural areas, internet accessibility isn’t the best which calls for a different type of wireless capability. Many mobile computers are equipped with 3 and 4G wireless technology, so even in the most distant of places medical staff can send patient data to the hospital for review if need be.

Using Surgical Grade Monitors to Enter the Digital Age

Our customer was able to connect the surgical grade monitors to the mobile x-ray devices and get an instant x-ray result on the medical computer’s touch screen. Older technologies required large film emulsion plates that took hours to process within a dark room—that obviously isn’t a mobile solution. With an instant x-ray, our customer was able to zoom in on the patient’s affected area in question and diagnose patients. Instead of having to travel several miles to a distant hospital, wait for an x-ray, process the film, and then have a doctor review the x-rays, it’s done instantly on site so the hospital doesn’t need to purchase expensive and bulky film slates for x-rays. When patient mobility is reduced, it’s up to the medical staff to transport what’s needed in the most crucial times of patient healthcare. Our provided solution fit the needs for our customer and their patients.

Medical Devices in Healthcare IT Aren’t Cheap

Our customer needed a medical grade computer that interfaced with the mobile x-ray machines without a significant price tag. Older medical devices use a serial RS-232 port, which is a legacy port not often found on consumer-grade computers. The option to upgrade to a newer set of x-ray machines wasn’t available with average prices for them ranging well over 100 thousand. In acquiring the medical grade computers, they saved crucial business funds to focus on traveling to patients with hampered mobility.

Medical Computers That Also Meet Certifications

The medical grade computers our customer used weren’t just capable of interfacing with x-ray machines for medical staff use. The computers they purchased had a full spectrum of patient safety in mind, starting with an antimicrobial plastic that inhibited the spread and growth of microorganisms. These mobile computers with the hot swappable battery function were fanless and used internal solid state drives to prevent spreading dust and germs. They also met FDA standards for patient safety with a 60601-1 certification to protect patients from electrical and radiation-related hazards.

Online sources report that 80 rural hospitals have seen closures since 2010 and approximately 600 are suffering financially, numbers likely because patients and hospitals lack mobility. These computers helped the lives of people and kept hospital doors open. There are reasons beyond mobility, however, that prompted our customer to purchase these computers—they’re medically certified for hospital and patient room use. Consumer-grade PCs don’t measure up to the standard that these computers meet! Our customer was satisfied with their purchase of these computers with the hot swappable battery function, the instant x-ray feedback, and the medical certifications to protect patients.

 

Medical Device End of Life Cycle

3 Reasons Why End of Life Matters for Medical Equipment Manufacturers

The end of life (EoL) or PC life cycle is an important topic in the medical device manufacturing world. A PC life cycle can be defined as a cycle that describes the usefulness of a desktop or laptop computer to an agency, from its initial acquisition through its ultimate disposal—a fitting definition. Cybernet’s entire line of medical computers have a 3-5 year life cycle that’s determined by evaluating several factors—longevity of all computer components, intent of each computer, average use time, environmental factors, software that’s to be used, and other reasons. Sometimes, however, medical computers go through revision changes that can signify an end of life, and the process from revision change back to full certification is highly involved! The revision process to certify a medical computer just to control a specific medical device can be a complicated thing, especially if the two devices don’t communicate well. Here are some ways that the end of life cycles affect medical device manufacturers and the processes that happen behind the scenes.

End of Life Cycles Means Customers Must Review Changes

End of Life for certain components in a system doesn’t mean just replacing said components; it takes time to review what changes were made, suggest implications for impact, and go through a process called design verification for both hardware and software. All settings, drivers, and applications need adjustment to fit the new drive images. The devices must be rigorously tested together, bugs must be addressed both on a software and hardware level, and then the results must be sent to the FDA to ensure an entirely seamless validation.  All documentation (the device master record, drawings, etc.) that is associated with the hardware in question must be updated too. Verification and validation are two intense procedures—validation is defined per Wikipedia as the assurance that a product, service, or system meets the needs of the customer and other identified stakeholders. Verification is defined as the evaluation of whether or not a product, service, or system complies with a regulation, requirement, specification, or imposed condition. These are at the heart of design verification, just one component of the entire implementation from A to Z. That doesn’t even factor in signatures and approvals from medical device executives and FDA individuals. These processes are highly involved and can take anywhere from several weeks to several months for implementation depending on the severity of changes—even a small revision to a tiny component! It’s clear that these steps are under heavy scrutiny and take careful thought to move through. The goal is to ensure hospital satisfaction and patient safety in all these steps, which leads to…

End of Life Cycles Mean More Certifications Are Coming

FDA approvals alone are difficult to achieve since all of our medical computers must be rigorously tested with the medical devices in question. Any revisions or changes to a medical computer must be resubmitted for certification in order to work with medical devices again. Imagine the implications of having an untested medical computer on an x-ray machine! Even a pair of similar computers don’t have the same electromagnetic compatibility (or EMC), so switching computers on a medical device isn’t very simple. Introducing an untested medical computer to a medical device could cause it to malfunction, necessitating months and perhaps years of testing before certifications. That doesn’t even consider global certifications, as every locale where our medical grade computers may be used could have vastly different requirements. Different certifications can cost more time, resources, and money, sometimes in the range of hundreds of thousands of dollars.

What that Means for The Operator and Patient

The FDA categorizes medical devices into three classes of risk, the third class being the highest risk—pacemakers, for example. Patient and operator lives are at risk when working with class 3 medical devices, but those cannot be put to market without full verification and validation. The FDA requires full V&V for Cybernet’s medical computers to function with class 3 medical devices, a process that is ensured through rigorous testing, retesting, and approval. Patient and operator safety is in good hands when a medical computer’s end of life is in question—every computer out of our warehouse that interfaces with a medical device isn’t just some assemblage of parts that works with machines. They are fully-approved and certified medical computers designed from the ground up for patient and operator safety. Yes, it takes time and money for our customers to use these computers with their medical devices. That’s just proof that we are second to none in this amazing industry.

 

What The FDA’s Postmarket Management of Cybersecurity in Medical Devices Means for Manufacturers of Medical Devices

The FDA‘s guidance on “Postmarket Management of Cybersecurity in Medical Devices”[PDF] is a complementary document for the 2014’s “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” [PDF]. The 30 pages of the guidance contain detailed recommendations, and the manufacturers of medical devices need to study them thoroughly.

The guidance is consistent with the cybersecurity guidelines set by the U.S. Government for other industries such as power grids and financial organizations and aims to protect critical infrastructures from cyber threats. Since most of the medical device manufacturing is in the private sector, the guidance also aims to facilitate cooperation between the public and private actors in preventing and mitigating cyber attacks.

Key Highlights

#1. Medical devices: the guidance applies to medical devices containing software, firmware, programmable logic, as well as mobile medical devices and applications, and devices that are part of interoperable systems – the legacy devices already in use, or on the market.

The agency explains the scope of medical devices has increased to include any device that is connected to computer networks and can, therefore, be compromised.

#2. Patient Harm (IV): the guidance stresses the importance of risk-based assessments of cybersecurity vulnerabilities that could cause patient harm. Of note: Patient Harm replaces Essential Clinical Performance that was present in the draft version. Patient harm definition is aligned with ISO 14971.

Interestingly, the guidance excludes compromise of private data from the definition of patient harm and refers to HIPAA for privacy protection recommendations.

#3. Evaluation of Risk of Patient Harm (VI) is the key purpose of the cyber-vulnerability risk assessment that needs to define if the risk of patient harm is:

  • controlled/acceptable (low probability of an exploit harming patient health)
  • or uncontrolled/unacceptable (high probability of an exploit harming patient health).

The agency suggests a matrix to evaluate risk acceptability, involving:

  • the exploitability of the vulnerability
  • the severity of patient harm in case the vulnerability is exploited

Of special note here is the recommendation to adopt a vulnerability disclosure policy and recognize that mitigation changes may affect the device’s performance.

#4. Postmarket Considerations (V) section introduces recommendations to deploy robust cybersecurity risk management program throughout the entire product lifecycle. The FDA emphasizes that such programs must include:

  • Monitoring information sources (ISAO, customer complaints, service records) for news on new vulnerabilities and threats.
  • Deploying threat modeling to define how to maintain safety and essential performance.
    Implementing mechanisms for monitoring third-party software for emerging vulnerabilities during the device’s entire lifecycle; and design verification and validation for software updates and patches for vulnerabilities, including those in Off-the-shelf software.

The cybersecurity program needs to be comprehensive, systematic, thoroughly documented and in compliance with the Quality System Regulation (21 C.F.R. Part 820). NIST has a guidance on cybersecurity programs for manufacturers, and the FDA’s guidance contains an Appendix “Elements of an Effective Postmarket Cybersecurity Program.” It encompasses five elements -1) identify; 2) protect or detect; 3) protect/respond/recover; 4) mitigate risks to safety and essential performance.

#5. Maintaining Safety and Essential Performance (V) links cybersecurity risk management to safety, essential performance, threat modeling, and mitigation actions.

Controlled risks can be patched in a routine update. They fall under the “cybersecurity routine updates and patches” group. These patches are not considered as repairs and do not call for reporting under 21 CFR 806. If a manufacturer holds a PMA, an annual 21 CFR 814.84 report needs to mention the patch.

Uncontrolled risks must be patched as soon as possible in the form of a patch, update or a temporary “fix” (for example, disabling the Internet connectivity). It is advisable to start with a quick temporary fix to ensure patient safety, and then proceed with a permanent patch in cases when a permanent patch takes some time to design and deploy. Manufacturers must report these fixes to the FDA (21 CFR part 806).

#6. Reporting exceptions. The FDA waives the 21 CFR 806 reporting if the three requirements are met:

  • No deaths or other serious adverse events happened due to the vulnerability.
  • The manufacturer has notified users of an available fix (temporary or permanent) no later than 30 days of learning of the vulnerability. The manufacturer has instructed the users on how to apply the fix.
  • No later than 60 days after learning about the vulnerability, the manufacturer fixes it, validates the change and distributes the patch. The manufacturer should follow-up with end-users after the distribution of patch.
  • The manufacturer is a member of an ISAC/ISAO.

#7. Criteria for Defining Active Participation by a Manufacturer in an ISAO (IX) urges the manufacturers to participate in the Information Sharing Analysis Organization.

ISAO/ISAC – Information Sharing & Analysis Committee/Organization, non-profit, industry-specific organizations created to let the members share knowledge about data security. Members of these organizations have a few legal exemptions that apply to the information they share. NH-ISAC is an ISAC, where the National Healthcare organization is a partner.

#8. Impact on Industry

The basic principles of NIST framework must be adopted in the manufacturers’ cybersecurity program. Take into account medical device cybersecurity throughout the entire product lifecycle. Pre-market, manufacturers should incorporate cybersecurity management inputs and design an approach that would determine:

  • Assets and vulnerabilities;
  • How threats/vulnerabilities may cause Patient Harm;
  • The likelihood of threats;
  • Risk levels based mitigating promptness and strategies;
  • Residual risk assessment, and risk acceptance criteria.

Manufacturers must define the risk of patient harm, identify the cybersecurity vulnerabilities of their devices, assess and classify the existing risks and engage in remediation. A proper documentation of the process is expected.

Health IT community must engage in better information sharing. The FDA encourages the medical device manufacturers and the health IT community as a whole to collaborate closer in ISAO and ISAC to facilitate threats identification and remediation. The FDA Center for Devices and Radiological Health (CDRH) also encourages the fostering of ISAOs and the role of NH-ISAC. The manufacturers of medical devices should consider joining an ISAC to:

  • Have access to information and intel about the cyber threats.
  • Be exempt from some reporting requirements under 21 CFR 806 (uncontrolled risks).
  • Have access to the community where manufacturers can share information exempt from regulatory use and civil litigation, and the federal Freedom of Information Act, given the data shared meets the requirements of the Critical Infrastructure Information Act.

Manufacturers must understand and comply with the mandatory reporting requirements under 21 CFR 806. One of the most complex points since reporting is difficult to draft and apply and raises concerns about proprietary data protection.

Summary

The FDA has been explicit that manufacturers must deploy the comprehensive cybersecurity and risk analysis – over the entire lifecycle of a medical device. The primary focus of the analysis is the risk of patient harm. The guidance includes legacy and mobile devices in the scope of medical devices, recognizing that connectivity increases the chances of a device compromise.

The good news is the reduced reporting to the agency in certain cases, and ways to disclose vulnerabilities without assuming a litigation risk.

At this point, manufacturers should acknowledge the FDA’s increasing attention to cybersecurity, and take these recommendations as seriously as possible. As medical devices become more connected and smart than ever, we can expect that some of the recommendations, if not most, could become mandatory in the foreseeable future.

The Impact of the IEC 60601 Standard on the Healthcare Industry

IEC 60601-1 is the primary standard governing the design of medical devices. While not all countries have adopted IEC 60601-1 as the standard, globally it has become the de facto international benchmark for the design of electronic medical devices.

IEC 60601-1 is a standard intended to be applied to all electro-medical devices traded internationally as a requirement for bringing new medical devices to market. 60601 was first published in 1977 and has been revised many times. The most recent revision, 60601 3rd edition was published in 2005. It was adopted in 2006 by the European Union impacting international medical device manufacturers. In January, 2014, the U.S. started enforcement of the 3rd edition of IEC 60601 for new medical devices (medical devices already on the market on this date were excluded from this enforcement).

There has been a great deal of focus on the standards set by IEC 60601. What are the particulars involved in this set of standards and why is it so important for healthcare administrators to purchase products that adhere to them? Let’s take a deeper look at the details surrounding IEC 60601 and the impact that it has on the healthcare industry.

Designing in Safety: Medical Electronic Manufacturers and IEC 60601

Designing an electronic device that can be used within the clinical setting and meets the standards set out in IEC 60601 is a long process. One of the biggest challenges that manufacturers face when it comes to developing electronic devices is making sure that the instruments in question sufficiently address issues of safety. The IEC 60601 standard was created to directly address these issues. The IEC 60601 standard addresses the risks associated with the use of electrical medical equipment. Purchasing a device that complies with the 60601 standard ensures that the device has gone through a complex series of testing before it is certified ready to bring to market.

Devices Covered by the IEC 60601

There are a varied number of devices that fall under the purview of the IEC 60601 standard. Devices that are used to diagnose, treat, or monitor patients and have one connection to an energy supply are covered by the standard. Should a device have physical contact either directly or indirectly with a patient and transfer energy such as electrical currents to or from the patient, then the device is covered by the regulations set by IEC 60601. Examples of products that are covered by this standard include infusion pumps, endoscopic cameras, MRI and gamma imaging systems, battery operated medical devices, accessories that may be associated with these devices, etc.

Evaluating Hazards Associated with the Use of Electronic Medical Devices

A primary focus that the IEC 60601 standard addresses is the exposure of both users and patients to hazards associated with electronic medical devices. A device that strictly complies with IEC 60601 ensures that hospital administrators, patients, and healthcare practitioners have reduced risks associated with the use of medical grade electronics. An example of this are the risks associated with the energy output of certain electronic medical devices. IEC 60601 directly addresses this issue through stringent rules on the design of medical devices so as to prevent any patient or operator from unintended exposure to electrical currents.

Non Conforming devices

Many hospitals & medical facilities have used traditional desktop computers, towers and all in ones produced by the big three throughout their operations ranging from operating rooms to patient registration and nursing stations. Such computers are not certified to IEC 60601 standards and present a potential risk to both the patient and healthcare practitioners that may cost hospitals millions in potential legal actions.

Manufacturers who create products that adhere to the IEC 60601 standard get to ensure that their devices meet product safety requirements from the initial design phase. This approach directly benefits patients & healthcare providers.