Medical Design and Outsourcing

  • Home
  • Medical Device Business
    • Mergers & Acquisitions
    • Financial
    • Regulatory
  • Applications
    • Cardiovascular
    • Devices
    • Imaging
    • Implantables
    • Medical Equipment
    • Orthopedic
    • Surgical
  • Technologies
    • Contract Manufacturing
    • Components
    • Electronics
    • Extrusions
    • Materials
    • Motion Control
    • Prototyping
    • Pumps
    • Tubing
  • Med Tech Resources
    • DeviceTalks Tuesdays
    • Digital Editions
    • eBooks
    • Manufacturer Search
    • Medical Device Handbook
    • MedTech 100 Index
    • Podcasts
    • Print Subscription
    • The Big 100
    • Webinars / Digital Events
    • Whitepapers
    • Video
  • 2022 Leadership in MedTech
    • 2022 Leadership Voting!
    • 2021 Winners
    • 2020 Winners
  • Women in Medtech

Risk management for cloud-powered medtech: What you need to know

March 19, 2018 By Heather Thompson

risk management

[Photo from Flickr, by GotCredit]

Cloud-enhanced medical devices are on the rise. There are some incredible benefits to the trend, as well as some increases in risk. Medtech developers should take note of the risks to properly develop a risk management strategy. 

Michael Ford, Pro Back Office

As we kickstart 2018, there are increasing concerns and risk challenges for the life science industry, thanks in part to the evolution of computing technology. Today, many life science businesses are migrating to cloud computing (SAAS, PAAS, etc.). There is data sharing amongst business partners and the use of third-party providers who are managing important data for these life science companies. All of which has most CEOs spending time and money on risk management and compliance. They see tremendous pressure to safeguard sensitive information collected relating to patient data and privacy, intellectual property (IP), and drug and clinical test data.

Having the proper risk management framework in place for a life science business is a great starting point. Medical device companies must deal with government imposed data protection regulations and internal control compliance programs from Sarbanes-Oxley to HIPPA to SSAE16. All have been important additions to help improve data security. However, despite the investments in data protection, the industry also faces increasing cyber threats and attacks. Through the development of proper controls, medtech companies can address vulnerabilities and minimize risk to their data and products.

Cloud computing’s pros and cons

The technological advancements in system virtualization, system resource management and the Internet have led to cloud computing’s emergence as a viable alternative for meeting the technology needs of many life science organization. There are numerous benefits:

  • Instantaneous computing resource fulfillment;
  • Greater value from technology expenditures at lower costs;
  • Decreased need for internal technology support personnel;
  • Cost savings – Cloud customers pay for only the computing resources;
  • Speed of deployment – Cloud service providers can meet the need for computing resources (e.g. server processing and data storage) much more quickly than most internal information technology (IT) functions;
  • Scalability and better alignment of technology;
  • Resources – An organization can scale up and down its capacity from one server to hundreds of servers without capital expenditures;
  • Decreased effort in managing technology – Owning and operating an IT function is costly and time-consuming. Cloud computing allows an organization to focus more time on its core purpose and goals.

With these benefits, comes risks for the life science company:

  • Lack of transparency – A cloud service provider (CSP) is unlikely to divulge detailed information about its processes, operations, controls and methodologies.
  • Reliability and performance issues – System failure is a risk event that can occur in any computing environment but poses unique challenges with cloud computing.
  • Security and compliance concerns – Depending on the processes cloud computing is supporting, security and retention issues can arise with respect to complying with regulations and laws such as the Sarbanes-Oxley Act of 2002 (SOX), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the various data privacy and protection regulations enacted in different countries.
  • High-value cyber-attack targets – The consolidation of multiple organizations operating on a CSP’s infrastructure presents a more attractive target than a single organization, thus increasing the likelihood of attacks. Consequently, the inherent risk levels of a CSP solution in most cases are higher with respect to confidentiality and data integrity.
  • Risk of data leakage – A multi-tenant cloud environment in which user organizations and applications share resources presents a risk of data leakage that does not exist when dedicated servers and resources are used exclusively by one organization.
  • BYOD (Mobile devices) – Security and encryption must be taken into consideration for devices used to connect and access data in the cloud as these devices are more susceptible to theft.

Protecting your data

To address these risks, third-party cloud service providers have implemented internal controls within their computing environment and have several standards or best practices available to them to report on their security status. The auditing and the verification of these controls are performed by independent third-party accounting firms that present the results of these audits in an AICPA SOC 1, SOC 2 and/ or SOC 3 report. SOC stands for service organization controls. The SOC 1 report is focused on the internal controls over financial reporting controls, while the SOC 2 and SOC 3 reports are specific to controls related to one or more of the five trust principles of security, availability, processing integrity, confidentiality and privacy.

Depending on the nature of the services provided by the cloud service provider, any of these reports would be appropriate to attest to the effectiveness of the internal controls implemented by the cloud service provider. The cloud users can review the SOC report to ascertain the operating effectiveness of these controls and have transparency into the cloud service provider internal controls to manage risks within their environment. Auditors have been using the SOC reports as part of their SOX testing over internal controls over financial reporting. However, a life science company may use cloud computing to manage its confidential non-financial data (i.e. lab tests, trial test results etc.) which are not covered under SOX. As a result, risks and security and compliance controls over these proprietary, confidential data, may not be adequately evaluated.

The potential financial and reputational impacts of the loss of IP or confidential client data would be staggering for any business. To assess where a life science company stands in the risk universe as it relates to cloud computing, it is imperative that they conduct a risk assessment. Risk and compliance executives, internal auditors and risk consultants play an important role in helping life science organizations develop a proactive risk management strategy. What proactive steps and investment will your business make in 2018 to protect your data?

Mike Ford is president of Pro Back Office.

The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of MedicalDesignandOutsourcing.com or its employees.

You may also like:

  • Early Metrics medtech trends
    5 trends that could affect medtech in 2018
  • Flex
    Flex partners with Google Cloud on expanded digital health capabilities

  • Software is a top cause of medical device recalls: Here’s…

Related Articles Read More >

cybersecurity
Moody’s warns of cybersecurity, antitrust and supplier risks for medical device companies
Philips
FDA says Philips knew about toxic foam for years before massive recall
An even larger medtech supply chain shock looms beyond the pandemic
The Ambu aScope4 single-use bronchoscope
Study finds single-use bronchoscopes reduce hospital readmission rates by half

DeviceTalks Weekly.

May 13, 2022
Our Pre-Post-DeviceTalks Boston episode, also MedtronicTalks replay with Gastro CMO Austin Chiang
See More >

MDO Digital Edition

Digital Edition

Subscribe to Medical Design & Outsourcing. Bookmark, share and interact with the leading medical design engineering magazine today.

MEDTECH 100 INDEX

Medtech 100 logo
Market Summary > Current Price
The MedTech 100 is a financial index calculated using the BIG100 companies covered in Medical Design and Outsourcing.
DeviceTalks

DeviceTalks is a conversation among medical technology leaders. It's events, podcasts, webinars and one-on-one exchanges of ideas & insights.

DeviceTalks

New MedTech Resource

Medical Tubing

Enewsletter Subscriptions

Enewsletter Subscriptions

MassDevice

Mass Device

The Medical Device Business Journal. MassDevice is the leading medical device news business journal telling the stories of the devices that save lives.

Visit Website
MDO ad
Medical Design and Outsourcing
  • MassDevice
  • DeviceTalks
  • MedTech 100 Index
  • Medical Tubing + Extrusion
  • Drug Delivery Business News
  • Drug Discovery & Development
  • Pharmaceutical Processing World
  • R&D World
  • About Us/Contact
  • Advertise With Us
  • Subscribe to Print Magazine
  • Subscribe to E-newsletter
  • Attend our Monthly Webinars
  • Listen to our Weekly Podcasts
  • Join our DeviceTalks Tuesdays Discussion

Copyright © 2022 WTWH Media, LLC. All Rights Reserved. Site Map | Privacy Policy | RSS

Search Medical Design & Outsourcing

  • Home
  • Medical Device Business
    • Mergers & Acquisitions
    • Financial
    • Regulatory
  • Applications
    • Cardiovascular
    • Devices
    • Imaging
    • Implantables
    • Medical Equipment
    • Orthopedic
    • Surgical
  • Technologies
    • Contract Manufacturing
    • Components
    • Electronics
    • Extrusions
    • Materials
    • Motion Control
    • Prototyping
    • Pumps
    • Tubing
  • Med Tech Resources
    • DeviceTalks Tuesdays
    • Digital Editions
    • eBooks
    • Manufacturer Search
    • Medical Device Handbook
    • MedTech 100 Index
    • Podcasts
    • Print Subscription
    • The Big 100
    • Webinars / Digital Events
    • Whitepapers
    • Video
  • 2022 Leadership in MedTech
    • 2022 Leadership Voting!
    • 2021 Winners
    • 2020 Winners
  • Women in Medtech