“Most people think about information security in a pretty rigid way. Many picture a locked gate, or the computer saying ‘no’. Effective information security is really much more about making sure that people have appropriate access to information that they need to see to be able to do their jobs effectively.”
Let’s start with our clinical safety journey. The key challenge I face as the Chief Regulatory and Compliance Officer is that in order to maintain Bleepa’s status as a premium medical device, there’s simply no standing still.
What do I mean by that? As a web-based medical device that meets stringent, independently certified patient safety and security criteria, Bleepa complies with two sets of internationally recognised standards.
Meeting these standards is a rigorous, time-consuming process, that needs continuous activity to retain compliance.
The first set of standards (collected under an ISO 13485 umbrella) cover quality and risk management in the manufacture of medical devices. These standards form the basis of the industry for medical device manufacture within the European Union, and are also aligned with the requirements elsewhere in the world, such as the US.
A medical device should always be produced with a consideration of risk. At all times, we need to consider the actual outcomes for the patient – ultimately, we need to keep risk as low as possible, and ensure that the risk of using the device is outweighed by the benefit to the patient.
While Bleepa is technically recognized as a low-risk Class I medical device, we have chosen to adhere to the ISO 13485 quality management standard. In some ways, this means that we have to meet more exacting demands than current UK medical device regulations would require of us – but that is because we are ready for a more stringent software classification regime in the European Union.
That’s partly because the European Union was in the process of implementing a new set of Medical Device Regulation when the UK left the bloc, and many software products are recognized as higher-class medical devices under that regime. Here at Feedback Medical we feel that it’s vital for us to ensure that clinicians and multidisciplinary teams are able to use Bleepa in a clinically safe way, and one way to achieve that is to stay on top of these more demanding safety standards. With these safeguards in place we are also able to look at opportunities to expand usage of Bleepa within healthcare systems across Europe and even further afield.
To meet the ISO 13485 requirements, our processes and systems are audited independently every year. So that’s why I think of my role as ensuring that we’re never standing still as an organization when it comes to ensuring our quality management processes are second to none.
Differing views on information security
Most people think about information security in a pretty rigid way. For many, the concept typically conjures up images of a locked gate, or the computer saying ‘no’ when you’re trying to access certain information. Ultimately, the most secure computer system you can have is one where the network cable is unplugged. But that’s of no use to anyone.
So effective information security is much more about making sure that people have appropriate access to information that they should see or need to see to be able to do their jobs effectively. That’s particularly important when we’re talking about clinical safety and a system that helps teams provide better care by being able to get the information they need in a timely way, when they need it. So, it’s better to imagine information security as a keypad, where the right people can get through the door.
There is often a trade-off between security and clinical effectiveness. By changing a process or a part of the architecture of a communications tool in a particular way, you may be making it less effective as a means for people to collaborate productively.
Over the course of our journey developing Bleepa, we’ve followed information security requirements in compliance with another internationally recognized standard, ISO 27001. We have done this in tandem with our work in maintaining the ISO 13485 standards outlined above.
Information security requirements never stay still – looking in the news, every day there is another exposed vulnerability, another information security breach. Managing a modern web platform requires continuous vigilance, and being permanently ready to respond to issues that may arise.
The ‘WhatsApp’ problem
As we’ve seen with recent high-profile incidences of clinicians using WhatsApp to share patients’ personal clinical data, using unsecured platforms that allow information to be saved on personal devices presents a litany of potential patient harms and privacy breaches.
The biggest problem with using a platform like WhatsApp to share sensitive patient information is that there is no central control or governance around how that information is subsequently used. A consumer-focused social media app like WhatsApp will have been used by those medics for both work and play, and so a hospital or GP practice manager will have no visibility of the information, and sensitive information can all too easily end up in the wrong place.
The practice, trust, health board or private provider that oversees the care in these settings can’t possibly comply with their own exacting requirements to make sure they have got control over patient data. Bleepa’s chat and file sharing functionalities are designed to make it easy for colleagues and teams to talk to each other and consult with one another. However, key differences are that no data is ever stored locally on a device, the organization has control over who has access, and also has an audit trail of how information is viewed, manipulated, annotated, edited and shared. It therefore has control, enabling it to meet those information governance requirements.
Complying with regulatory standards
Feedback Medical and Bleepa comply with the following regulatory standards:
|Standard||What is it?||Why does it matter?||What is involved?|
|UKCA||Regulatory standard – confirming that Bleepa displays digital patient images at a standard suitable for clinical review (as defined by RCR)||Allows the product to be sold for the intended purpose||Class I – self certification of conformance with MHRA Development and maintenance of a full Technical File|
|ISO 13485||Quality management standard||Demonstrates that we meet the standards expected of a medical device as part of our UKCA accreditation. Demonstrates the quality of our products to customers.||Development and maintenance of a full QMS which is integrated into staff training, internally and externally audited annually, with recertification every 3 years by a certification body.|
|ISO 27001||Information Security management standard||Demonstrates we have defined process, that are independently audited and externally validated, to securely process and manage sensitive data.||Development and maintenance of a full Information Security Management System (ISMS) which is integrated into staff training, internally and externally audited annually, with recertification every 3 years by a certification body.|
|Cyber Essentials Plus||Security standard||Demonstrates the security of the product to customer, externally validated.||Document our security protocols and processes and have these externally audited annually. Annual penetration testing of the system to check for areas of weakness.|
|DCB 0129||Clinical safety and clinical risk standard||Demonstrates to customers that we have considered real world application of the technology in the intended setting and for the intended purpose and that we have deliberately designed as much risk out of the product as possible.||Operate a full risk management plan as part of product design, testing and implementation, which considers clinical/patient risk at all stages. Designing and implementing mitigating processes where risks are identified to reduce such risks. Process is overseen, reviewed and signed off by an independent CSO.|
|NHS IG Toolkit||NHS cyber security standard||Compliance with this is required in order to sell a software product to the NHS.||Extensive set of information security requirements that covers much of same subject matter as ISO 27001, but targeted in particular at the management of sensitive personal data|
|DTAC||Digital Technology Assessment Criteria – an NHS specific standard||Demonstrates our conformance with all NHS requirements for the provision of software products||DTAC includes a summary capture of all the above standards, but adds extra requirements related to customer service needs, contractual relationships and accessibility.|