“The threat spectrum is ever-evolving, and the baseline increases each year,” explains Jordens. Safety and security regulations aim to enable manufacturers to mitigate these threats.
“Regulations are there to protect something or somebody,” he says. “In the case of eIFU regulations, they are there to protect the end-user, to ensure that the information they are provided with is correct and available.” For manufacturers, compliance can also help avoid negative consequences like complaints or legal action.
In the European Union, security regulations for IVDs and medical devices are set by the European Commission. Around the world, they are set by national administrations like the US FDA or specific medical device health administrations. For manufacturers operating in a variety of markets, the first challenge is understanding the relevant and varying regulations in the first place.
Manufacturers must then interpret the regulations in order to assess compliance – and this can be complicated, Jordens explains: “Often, they talk about security, but at a high level.”
Many regulations require protection against hardware and software intrusion, meaning the system can withstand abuse, intentional or non-intentional. ISO27001 is a regulation governing ‘soft security’, concerning how people interact with the software inside of a company, such as not sharing passwords or altering security settings.
“ISO27001 ensures that the organisation is working at a significant level of security as part of their management system,” says Jordens. This is a key piece of legislation for eIFU management, and Qarad’s ISO27001 qualification puts it in the best position to assure information security.
The challenges for manufacturers are increasing. Today, audits and controls on manufacturers are becoming more and more stringent in their interpretation of regulations, often requiring in-depth reporting such as penetration testing reports. “It’s not just about building a secure website,” Jordens explains. “You need to make sure that you have decent control.”