The Medical Device Innovation Consortium (MDIC) announces that it has been awarded $2.8 million in funding by the U.S. FDA for the expansion of the Case for Quality and medical device cybersecurity programs.
This award will develop and evaluate a variation of the Case for Quality Voluntary Improvement Program pilot (CfQ VIP), formerly known as the CDRH Voluntary Medical Device Manufacturing and Product Quality Program, for medical device manufacturing sites that identify as having quality system issues or have been determined to be out of compliance with the quality system regulations. This variation will assess whether using a quality maturity assessment process that evaluates the execution of a quality system instead of compliance, leads to faster improvements in quality and compliance. The award also expands proposed work on threat modeling for cybersecurity of medical devices.
A systematic approach to threat modeling can enable manufacturers to effectively address system level risks, including but not limited to: risks related to the supply chain, design, production, and deployment. As an integral part of managing medical device cybersecurity risk, integration of threat modeling provides a blueprint to strengthen security through the total product lifecycle of medical devices.
“MDIC has been an essential partner for the Case for Quality since 2015. The expansion of this program will enable us to further collaborate with MDIC to enhance the success of CfQ VIP while promoting high-quality devices and increasing patient safety,” says Jeff Shuren, M.D., director of FDA’s Center for Devices and Radiological Health (CDRH). “Further, we are encouraged that the work being done by MDIC on cybersecurity threat modeling could ultimately help medical device manufacturers strengthen their cybersecurity efforts, leading to safer, more resilient medical devices that improve patient lives.”
The new CfQ effort will apply the systemic improvement focus of the quality maturity appraisal used by the CfQ VIP, product safety metrics, and incorporate regulatory compliance perspective using the ISO 13485 standard.
Additionally, MDIC will study the adoption and use of advanced manufacturing practices in non-medical device industries and contrast against the use in medical device industry, identify barriers within the industry that prevent adoption, and to inform how adoption of these best practices can improve quality, performance, and compliance. Finally, MDIC will be launching a boot camp series on cybersecurity threat modeling for medical devices; and the development of threat modeling best practices for device stakeholders.
Together, MDIC will help CDRH and industry determine if the success of the CfQ VIP for compliant manufacturers can also help non-compliant medical device manufacturers accelerate their returning to a compliant state of operation while implementing improvements that not only address compliance gaps but also promote higher product quality.
Additionally, MDIC’s work on cybersecurity threat modeling for medical devices will enable manufacturers to effectively address system level risks, including but not limited to risks related to the supply chain (e.g., to ensure the device remains free of malware), design, production, and deployment (i.e., into a connected/ networked environment), and thereby strengthen security by identifying vulnerabilities and threats to a particular product, products in a product line, or from an organization’s supply chain that can cause patient harm.