Remote Audits for Medical Device Manufacturers: protect your sensitive Data & Trade Secrets!
Medical device manufacturers must grant access of highly sensitive data and information to Notified Bodies during Remote Audits. Although such information is never meant to leave the manufacturer’s site it is often shared via common cloud services, especially in times of travel restrictions. How can transfer of sensitive information be established to securely conduct a Remote Audit?
by Arik Zucker
(az) · In times of travel restrictions due to the recent COVID-19 outbreak, Notified Bodies have started to perform Remote Audits. There are a few advantages in connection with this. One is certainly the omission of travel and lodging expenses by the auditors which, for small device manufacturers can be substantial. Also, unannounced on-site audits can be omitted in the manufacturer’s budget as many Notified Bodies put them on hold for the time being. A further advantage might be that auditors can now conduct more audits and conformity assessments per time unit because of the absence of their own travelling time, hence an efficiency gain might be observed.
So far, this is all positive news. However, as straightforward and simple as it sounds, a Remote Audit certainly bears some risks that seem to be greatly neglected by a lot of device manufacturers.
One crucial question is how the manufacturers present their confidential information and data to the Notified Body. It is certainly in the manufacturer’s highest interest to protect internal data comprising sensitive information such as manufacturing processes, complaint statistics, corrective & preventive actions, risk analyses, development plans of devices yet to come to market, etc. just to name a few. This kind of data usually never leaves the manufacturer’s site during regular on-site audits that, for now, are inexistent. As only time will tell when everything will be back to normal, we can expect that the Remote Audit working mode will last for a while. Hence, if transferred data is leaked by mistake, a great part of the manufacturer’s trade secrets is potentially exposed not only to the competition but also to the broader public including also financial analysts or the media. Of course, it is not at all in the Notified Body’s responsibility to secure data exchange. The legal manufacturers are in charge of defining the level of security to be applied to their confidential data.
During device development and also later during the product life cycle the risks associated with the device are constantly and carefully assessed and balanced against the clinical benefits. But here’s the thing: are the risks of security breach, leak or malicious hack during data transfer also being assessed as carefully and balanced against the risk of loss of business? As a matter of fact, with more digitalization advances in the industry, such risks become bigger!
At the end, it all comes down to the question how to transfer sensitive data and information to securely conduct a Remote Audit. Certainly, cloud storage options like Google Drive, Drop Box, OneDrive, etc. are convenient and well accessible by the parties involved. However, when carefully reading the fine print of those services it becomes evident that by accepting the terms and conditions (which is required to use these services) data stored can be accessed not only by third parties but also by authorities. In addition, the data is being accessed and analyzed by these providers to further develop their AI / machine learning processes. Such processes are supervised by humans somewhere. Therefore, the number of individuals having access to the manufacturer’s data stored on such cloud services is way more than just a handful. At the end, it doesn’t matter whether data is leaked unintentionally or on purpose. The risk certainly increases with the number of people that have access as well as the number of servers the data is stored on.
MedtechVault is a highly secure data exchange solution for the medical device industry. The platform addresses all the risks and weaknesses pointed out above: to start with, the data is neither provided to any third party nor used for any internal development purposes. Furthermore, the data is physically stored on a server located in Germany (and so are the backups). As each manufacturer has its own vault, the risks associated by human error are greatly reduced, in particular as compared to common cloud storage solutions. As for data access, it is the manufacturer that defines every single user. If desired, document access can be restricted to view-only and a disabled print screen functionality; this is e.g. equivalent to an on-site document review by the Notified Body. In other words, such documents always remain under the manufacturer’s full control. And last but not least, MedtechVault’s self-explaining and user-friendly interface allows to understand all functionalities in less than 5 minutes. And its customizable structure allows to meet the individual needs of each manufacturer. This means that the service can also be used for e.g. Remote Supplier Audits that have to be performed by device manufacturers.
Ultimately, the device manufacturers must decide for themselves to what degree the data shall be protected and what the value of their trade secrets are for their future competitive advantage. The question, however, is as the manufacturers do the utmost to protect patients form any harm by their devices, aren’t they also obligated to secure their business and in the end the workplaces by data protection?