How to ensure the safety and
security of an eIFU website

Dimitri Jordens, eIFU and information security manager for eIFU expert Qarad, explains exactly what manufacturers should keep in mind when it comes to managing an eIFU system.

Protect Against Threats

“The threat spectrum is ever-evolving, and the baseline increases each year,” explains Jordens. Safety and security regulations aim to enable manufacturers to mitigate these threats.

“Regulations are there to protect something or somebody,” he says. “In the case of eIFU regulations, they are there to protect the end-user, to ensure that the information they are provided with is correct and available.” For manufacturers, compliance can also help avoid negative consequences like complaints or legal action.

In the European Union, security regulations for IVDs and medical devices are set by the European Commission. Around the world, they are set by national administrations like the US FDA or specific medical device health administrations. For manufacturers operating in a variety of markets, the first challenge is understanding the relevant and varying regulations in the first place.

Manufacturers must then interpret the regulations in order to assess compliance – and this can be complicated, Jordens explains: “Often, they talk about security, but at a high level.”

Many regulations require protection against hardware and software intrusion, meaning the system can withstand abuse, intentional or non-intentional. ISO27001 is a regulation governing ‘soft security’, concerning how people interact with the software inside of a company, such as not sharing passwords or altering security settings.

“ISO27001 ensures that the organisation is working at a significant level of security as part of their management system,” says Jordens. This is a key piece of legislation for eIFU management, and Qarad’s ISO27001 qualification puts it in the best position to assure information security.

The challenges for manufacturers are increasing. Today, audits and controls on manufacturers are becoming more and more stringent in their interpretation of regulations, often requiring in-depth reporting such as penetration testing reports. “It’s not just about building a secure website,” Jordens explains. “You need to make sure that you have decent control.”

Choose Your Strategy

Manufacturers facing these challenges must choose how best to address them. In a changing threat landscape, governed by complex regulation, it is vital to be able to continuously monitor the environment and act quickly. Traditionally, companies have chosen between off-the-shelf solutions, custom solutions and collaboration with specialist firms.

“In the last five to six years, however, we have seen people moving away from custom solutions,” says Jordens. “The two main reasons for this are that it’s becoming a significant burden to upkeep, and there is a big concern about compliance.

“The level of complexity about security is becoming more stringent, which creates complexities that not every manufacturer can deal with themselves.”

Choosing the right partner to help manage the eIFU platform takes away a lot of challenges from manufacturers. A partner with regulatory expertise will remove the burden of designing the system and can ensure compliance with all the relevant frameworks. “That allows the customer to focus on where they shine and do what they do best,” says Jordens.

The software development life cycle (SDLC) is a framework that enables manufacturers to ensure security, objectively monitor compliance and increase their control over the system – while having the flexibility to respond to the ever-evolving threat spectrum. “Being a lifecycle means it’s a continuous process,” explains Jordens. Qarad establishes the SDLC on behalf of its customers to ensure the highest level of control and compliance. “We can always assure our customers that whatever system they’re using is always kept in the validated state, and we can get the records for any time in the past.”

Know The Right Partner

In a dynamic threat landscape, it is vital to stay on top of regular monitoring, a role that can be burdensome for manufacturers. As an eIFU partner, Qarad completes quarterly monitoring on behalf of hundreds of customers, removing the burden for all of them at once.

“We test our system at least quarterly against the top ten threats to make sure it has a good level of security,” explains Jordens. “We want security of such a high level that the likeliness or impact of a breach is reduced as much as possible.

“Qarad’s systematic approach and extensive experience and expertise ensures that regulations are met and new ones quickly adopted, and clients benefit by knowing that their systems are secure, legal and up-to-date.”

Qarad clients benefit from the fact that the company has a quality and regulatory consultancy legacy, making them different from software vendors. Most of its employees have over a decade of experience and are on hand to answer customers’ questions.

Qarad holds the ISO13485 qualification, concerning medical device quality management. Together with its ISO27001 qualification to prove the level of control and security within the company, this gives Qarad a robust standard of security. “That’s something we’ve worked hard on and we’re very strict on it,” says Jordens. “It’s commonly recognised and valuable.”

All of this puts Qarad in the best position to advise its clients and enable them to remain compliant. “Whatever changes, we will be one of the first to recognise it, which allows us to get a head start,” says Jordens.