MDSAP: Cybersecurity and the single audit process program

Oct 19, 2017 | News

For those who may not be entirely familiar with the Medical Device Single Audit Program (MDSAP), this initiative is intended to allow auditors from MDSAP-recognized Auditing Organizations (AOs) to conduct a single audit of a medical device manufacturer’s quality management system that will satisfy the requirements of the medical device regulatory authorities participating in the MDSAP program. The countries currently participating in the program include the United States, Canada, Japan, Australia, and Brazil. The objective is to jointly leverage regulatory resources to manage an efficient, effective, and sustainable single audit program focused on the oversight of medical device manufacturers.

Audits performed under the MDSAP program will be process-based, focusing on several defined processes, a defined method for linking those processes, but all audits will be based on the foundation of risk management.

As part of this effort to review risk management and software used both as part of the medical device and as part of the internal quality system, , the auditors will look to see if the firm has addressed the exchange of sensitive digital information between platforms, organizations, and nations. This is, in large part, in response to the fact that several of today’s medical devices are computers with internet connectivity and can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. The increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats.

During the audit of an organization’s quality management system as identified in the seven MDSAP processes, the audit team will be asked to be mindful of “linkages” needed for an organization’s quality management system to function effectively. For example, linkages assist auditors in making appropriate selections when moving to the next process (e.g. using information from the Measurement, Analysis and Improvement process to select a design project to review where appropriate). The auditors may look for linkages between the design of the internet connectivity and compliance verification to UL 2900. There may be linkages between complaints and the wireless networks in a hospital or auto-updates to the firm’s software. There might even be linkages between the supplier qualification and the software embedded in the Bluetooth or wireless manufacturer.

The audit team is also asked to assess risk management activities during the audit of the organization’s quality management system processes. This risk may be related to the software being used internally by the organization. Even something as simple as email may have direct linkages to ERP or complaint handling systems, where security breaches can originate. Software risk management in addition to device risk management is an integral aspect of an organization’s quality management system and it is the responsibility of top management to provide the necessary commitment and resources.

Effective risk management usually starts in conjunction with the design and development process, proceeds through product realization, including the selection of suppliers, and continues until the time the product is decommissioned. Risk-based decisions occur throughout the various quality management system processes, and each organization must decide how much risk is acceptable to ensure medical devices are as safe as practical.