With Victory Comes Responsibility

The Medical Device Community has been handed a victory by the Supreme Court with their decision in Riegel vs. Medtronic . Without going into too much detail, I will summarize the essence of the article by stating that The Supreme Court ruled in favor of Medtronic in a case where faulty wiring on an implanted medical device Medtronic manufactured failed, and the reason they ruled in favor of Medtronic is due to the fact that the FDA approved of the design.

As the writers of the blog Drug and Device Law very eloquently point out, this now means that medical device manufacturers and the FDA must now step up to the plate and prove to the world in general, that patients are best served by backing off with litigation and letting the professionals do their jobs. Please allow me a little poetic license.

What it all boils down to is this:

• Medical Device Manufacturers Must Now Take An Even Greater Integrity Based Approach To Insuring Safety Of Medical Devices
• The FDA Must Step Up Their Efforts In Insuring Devices Are Safe

If the Medical Device Community and the FDA fail to deliver from this point forward, Congress will inevitably be granted the power to step in and "fix" the problem. This is rarely a good thing.

Incorrectly Defining The Problem Based On The Solution

Imagine this. You walk into your Doctor's office because you feel you may have a problem, and he reaches into his drug cabinet and pulls out a few bottles of drugs, tells you what they treat, and then gives them to you and says "That should take care of the problem!" He does not look at your health history, ask you any questions, check any vital signs. He just hands you some drugs (mind you, they are very effective drugs for the ailments they treat), and wishes you well. Oh, and he also delivers a hefty bill for his services. The doctor has a nice office and plenty of framed certificates on the wall, so he must be good. Time to start popping those pills!

You might get lucky. Maybe your health problem is treatable with one or more of those drugs, and it all works out. Then again, maybe your problem has nothing to do with what those drugs are meant to treat. Of course, you don't know this until it is too late. After all, you paid good money for the advice of the doctor with the fancy office and certificates all over the wall. Who are you to question the validity of his judgement ?

Of course, most of us are a little more careful with our health than this. We have come to expect a little more due diligence from our healthcare providers. We expect to have our vitals checked, records looked at, and some sort of sensible diagnosis before receiving treatment.

Security, however, is often handled in the manner first described. Organizations often blindly trust the security vendor's suggestions with almost no understanding of the problem and, more often than not, no discussion of requirements. Security vendors love to talk bits, bytes, standards, and certifications in an attempt to establish credibility. Sadly, this is often quite effective as a sales technique. Sometimes the security vendor's products solve some, or even most of the problem. Sometimes it just ends up being a very expensive mistake, which leads to a false sense of security, which is worse than no security at all. If you have no security, and know it, at least it forces you to pay attention. Blindly trusting a security system which does not deliver on the promise is a sure pathway to destruction, much like taking drugs for an illness you don't have.

The iClone

Growing up in the late 1960's and into the early 1970's, a common snide comment we would make when something performed on a less than stellar level was "Made in Japan". It was a holdover from the early part of the twentieth century, when Japan was known as th country that produced cheap junk. Today, Japan is certainly not known for its junk. Made In Japan is now considered, by nearly everyone, to be a mark of quality.

Japan achieved this lofty status through a combination of hard work, assistance from other nations, perseverance, the amazing capability to copy the work of others, and a market that would buy their products. The market was perhaps the toughest barrier, as Japan had to compete with products from the United States, Germany, Italy, and many other long-established producers of higher-quality consumables. Nonetheless, they did it.

Enter China, which is essentially Japan on mega-steroids. Japan currently has a polulation of 127,433,494 (https://www.cia.gov/library/publications/the-world-factbook/print/ja.html) and China has a population of 1,321,851,888 (https://www.cia.gov/library/publications/the-world-factbook/geos/ch.html). Yes, that is a little more than 10 times the population of Japan. China is also already well established in the world market. The Chinese are also quite advanced and many of them have lot of time on their hands; time which can be used to tear apart any Western technology they find and figure out how to clone it. What makes it even easier for them is the simple fact that many of the Western technological products sold in the world are built in China. Every screw, screen, case, logo, all the way to the package it ships in. To a worker in China, often earning barely enough to make ends meet, an extra few dollars "on the side" earned for turning a blind eye when someone wants to review some design plans, or borrow a machine, or buy a few extra parts off the line is the difference between three square meals of rice and three square meals of rice and chicken. I think you get the point.

Enter the iClone , China's amazing take on the popular phone (also made in China) of a similar name. Not being content to merely copy the other guy, the makers of the iClone have decided to improve upon it. Please read the article for a full picture.

Medical device companies produce devices with very high cost consumables attached to them, or simply make single-use standalone consumable devices. Some of these high cost consumables sell for thousands of dollars (yes, for a single-use item). How long do you think it will be before China starts cloning these items? They are already doing it with drugs, food, and even toothpaste.

Makers of consumer electronic devices who have their items cloned take it in the teeth financially, and the customer sometimes benefits from this, sometimes not. Makers of consumables for the medical device industry who have their items cloned take it in the teeth financially, and the customer (patient) can benefit from this as well, OR end up dying. Does anyone see an issue with this?

I here the train coming....

Security is a tough sell. Nobody really wants to pay for security anymore than they want to pay for insurance. We recently became involved with a security project for a medical device company. In essence, they wanted us to help design a system which would enforce a single-use policy for an electronic consumable. We designed a rather elegant system which encorporates cryptographic modules which authenticate via the use of cryptographic keys. This charged us, and we decided to move forward in pursuit of medical device manufacturers who we suspected would surely love this capability. Surprisingly, despite the interest, very few medical device companies have considered security in medical devices in any noteworthy manner.

To most companies, and medical device companies are no exception, security is only considered as a solution to problem. Once a company has had to deal with the pain of not having security, then they are willing to spend the time and money to fix the problem. Unfortunately, security cannot be added to a design very easily. It has to be built in from the beginning. Voting machine companies are feeling this pain right now.

Medical device companies are, in essence, waiting for the "train wreck" to happen. Then, and (in most cases) only then will they decide to build security into their products. Most of our business comes from clients who have either been on the train when it wrecked, caused the train wreck, or are close to someone who has been involved in a train wreck.

An ounce of prevention is worth a pound of cure.

Welcome To Our Blog

Security as it applies to a system is perhaps one of the most misunderstood concepts in the world of technology. We choose to frame this weblog with this statement because security as it applies to many other areas of our lives is often handled in a much more sensible manner. For example, if your goal is to not lose your children when you go to a crowded theme park, you might agree to a system with your significant other (and perhaps your children) to insure that does not happen. You might also agree on what you might do if "Plan A" fails. One procedure you would probably not use is buying an "Antiloss Child Securomatic System" and implicitly trusting it to do the job. You might decide, however, that it would be a good idea to give your children cell phones, or put a business card with your phone numbers in their pockets or shoes. In other words, the "technology" deployed would naturally fall out of the requirement of not losing track of your children. Surprisingly, the "technology" does not have to be very high tech at all, and can end up doing a far better job at securing your children than the "Antiloss Child Securomatic System", and cost far less.

This may be a somewhat silly analogy, yet this is one of many issues we face. It is easier for some organizations to simply trust a consultant or a technology to do the job than to work towards understanding the problem and working with the consultant and technology to achieve the desired result. What do you think?