A few years ago, I was visiting my primary care physician for an annual exam. My Dr. who we will say was not fresh out of medical school, did not like computers. They ‘slowed him down.’ He was writing on my chart in pencil, yes, a real paper chart! When I noticed that the pencil was worn down so far that it would only write from one angle and even so was more like a crayon, I looked at him and said, “you might want to sharpen that pencil.” He replied, “I can’t; this is a medical device.” Being the highly technical imaging person that I am, I said, “forgive me Dr, but that is not a medical device; it is just a pencil.” Slightly exasperated, he took off his glasses and looked at me, replying, “This is your chart, a medical record. Obviously, you can see I am making notes and documenting your diagnosis. You can’t do that with just any writing utensil, that would be illegal! I might be audited, and you can only make a diagnosis with a medical device!” Not taking the hint, I said, “well, at least sharpen it, you can barely write with that.” Now clearly ticked off, Dr. L replied, “Were you not listening?! This pencil is a medical device; if I were to sharpen it, I would have to have a licensed carpenter come in, charging me $400 an hour to sharpen it! You can’t go messing with a medical device unless you have FDA clearance!”
So, maybe there is a hint of sarcasm in my story, but let’s talk about what a medical device is and what the FDA really says. I was at one time a vendor, and while I was, I said many of the same things about my system. Medical device… can’t patch… blah blah, FDA certification…. I truly believed everything I said. I told customers the same story that I was told, and since I had never read any FDA filings (at the time), I believed what I was saying. Like my former self, many vendors have never read nor do they understand the FDA process.
The FDA defines a Medical Device as “…an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.” (Syring, 2018)
From that definition, we could assume that yes, a pencil is indeed a medical device because it was used in the diagnosis of disease. The contrary opinion is that it was not used in the diagnosis, but merely assisting in the recording. Similarly, we have to look at the distinction between things that are used in the diagnosis vs. what is supporting. From this line of reasoning, is PACS a medical device? The answer is the software is considered a medical device, but the hardware it is running on likely is not. It was not very many years ago when we were all told that our PACS workstations were “medical devices.”
Let’s examine a real 510(k) letter for a PACS. By the way, if you want to look up the certification for your vendor, which I strongly encourage, you can do so on the FDA website.
“PACS xxxxx is a medical image and information management software that is intended to receive, transmit, store, archive, retrieve, manage, display, print, and process digital medical images, digital medical video, and associated patient and medical information. PACS xxxxxx includes a suite of standalone, web-enabled software components, and is intended for installation and use with off-the-shelf hardware that meets or exceeds minimum specifications.” (emphasis added)
What this means is that the software is a medical device; the hardware that it runs on is not. You can run this on any hardware that meets or exceeds specs, and it has no impact on the FDA certification whatsoever. A vendor is well within their rights to provide an approved hardware list, but this is a support issue and not an FDA issue. This distinction is very important! The next point to review concerning software is patching and anti-virus because, as we have just stated, the software is a medical device.
Per the FDA software can and SHOULD be patched, but when the SOFTWARE is patched, it must be tested in accordance with General Principles of Software Validation linked here (Food and Drug Administration (FDA), 2001). Because the computer and operating systems that run PACS software are not part of the 510(k) certification, there is no requirement for the FDA to review security patches. Here again, we need to make the distinction between best practices with our vendor partner and FDA regulations. It is a best practice to review security patches with your vendor to ensure that they do not impact operations, but this is not an FDA issue.
“Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.” (Food and Drug Administration, 2018)
There is a one-page fact sheet that is very clearly written, and I also encourage you to read here.
In summary, your PACS software IS a medical device however, the hardware, software, and operating system on which it runs are not. Given the current cybersecurity threats, it behooves us all to read the FDA guidance and take an active role in making sure that our ‘devices’ are patched and up to date. No one wants to be involved in a virus or ransomware attack. One thing that was surprising to me was that for all the secrecy and mystery surrounding medical devices and subsequent maintenance, the FDA website is surprisingly clear and easy to understand. I encourage everyone to take a few minutes and read it for yourself.
By KYLE HENSON
CEO & Founder
Heartbeat by Intelligent Imaging
Food and Drug Administration (FDA). (2001, 02 25). Information for Healthcare Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software”. Retrieved from Food and Drug Administration Website: https://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm070634.htm
Food and Drug Administration. (2018, 02 02). Information for Healthcare Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software”. Retrieved from Food and Drug Administration: https://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm070634.htm
Food and Drug Administration. (2018, 02 07). THE FDA’S ROLE IN MEDICAL DEVICE CYBERSECURITY. Retrieved from Food and Drug Administration: https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM544684.pdf
Syring, G. (2018, 02 25). Overview: FDA Regulation of Medical Devices. Retrieved from Quality and Regulatory Associates: http://www.qrasupport.com/FDA_MED_DEVICE.html