Fast-advancing technology is proving to be the proverbial “blessing and curse” for the medical technology industry.
Technology companies famed for their rapid pace of innovation are vying to enter healthcare by applying their core technology expertise to medical devices and diagnostics – companies with such familiar names as Google, Samsung, Qualcomm and Apple.
|James Varelis, Principal, PwC Health Industries|
At the same time, traditional medtech companies are facing the need to address newer technology challenges such as data security, and Unique Device Identification (UDI) compliance, while continuing to struggle with age-old issues such as product lifecycle management (PLM).
PwC has taken deep dives into the challenges posed by technology’s “new entrants”– notably in Healthcare’s new entrants: Who will be the industry’s Amazon.com?
In this article, we want to focus on the need for traditional medtech companies to harness technology in service of their business objectives.
By leveraging technology in specific applications, companies can improve metrics including efficiency, time-to-market, and productivity. While this is true, the twin challenges of new entrants in the marketplace and increasingly global competition is creating a pressing need for medtech firms to truly integrate technology in their product development processes and practices – and to do it NOW.
Three technological challenges faced by MedTech companies – which appear to be quite different but are in fact quite closely related – are illustrative:
- The emerging area of cybersecurity for medical devices
- The ongoing compliance hotbed of Unique Device Identification (UDI)
- The historically challenging area of Product Lifecycle Management (PLM)
Cybersecurity for Medical Devices
The healthcare ecosystem is becoming increasingly complex due to factors such as networked medical devices, increased emphasis on patient “big data,” and healthcare legislation.
Each stakeholder in this landscape faces cybersecurity challenges.
For example, physicians would like timely access to remotely monitored health information, but ensuring data privacy and accuracy is critical. Similarly, regulators need to clearly understand the cybersecurity threat to patient safety and privacy, and develop internal and external guidelines for achieving and ensuring compliance and effectiveness.
However, a significant part of the responsibility of ensuring cybersecurity falls on the shoulders of medtech companies. The Food and Drug Administration has clearly indicated that cybersecurity needs to be effectively embedded within product development by stating that “the need to be vigilant and responsive to cybersecurity vulnerabilities is part of your obligation under 21 CFR 820.100 to systematically analyze sources of information and implement actions needed to correct and prevent problems.”
Traditional product development processes, quality systems, and risk assessments do not lend a lot of consideration to the threat of cybersecurity. However, a paradigm shift is needed – companies should ensure that “cybersecurity by design” is built into their products, rather than tagging it on as an afterthought. This is essential to reduce the risk of compliance issues, public exposure, and ultimately patient safety.
MedTech companies should adopt a holistic security strategy that aligns the company’s vision, business objectives, initiatives, risk tolerance, threat landscape, and culture to the technologies, processes, and people responsible for securing critical assets.
This security strategy and organization methodology takes a “threat-centric approach” to identify program weaknesses and align priorities for the organization to protect critical assets. This approach links the security strategy to the organization’s overall business strategy, while the security organization will also be embedded with the cross-functional product development and support processes. This can help ensure that the security requirements are customized to the needs of the organization and are evaluated in a timely manner at each step of product development.
The technology challenges – and associated opportunities – of UDI present a different set of complications.
UDI began as an FDA-driven solution to perceived quality and outcome issues. FDA believes that, “A unique device identifier system has the potential to improve the quality of information in medical device adverse event reports, which will help the FDA identify product problems more quickly, better target recalls, and improve patient safety.”
That effort to improve device safety came in response to concerns about outdated methods to monitor increasingly complicated devices once they reach patients. In promulgating the rules, the FDA focused on four new areas to strengthen post-market surveillance:
- Create a UDI system and promote incorporation into electronic health information
- Promote the development of national and international registries for select products
- Modernize adverse event reporting and analysis
- Adopt new methods for evidence generation, synthesis and appraisal
Advancing technology – much of it borrowed directly from retail and consumer inventory and supply chain control – lent itself to solutions in the UDI effort. Bar code labeling and scanning, integrated Radio-Frequency Identification (RFID) labeling, software to manage and process inventory and shipping data, all came together at the right time.
For device manufacturers, UDI technology implementation challenges range from new labeling standards to quality systems, and business practice changes to product data management and new technology. Since most medical device companies have multiple product types, varied quality systems, and multiple IT applications in Enterprise Resource Planning (ERP), PLM, Regulatory Affairs/Quality Assurance (RA/QA), and master data management, the complexity is compounded.
But the real promise of UDI lies in how companies can add scope to their programs to go beyond achieving core FDA-mandated requirements, and also accommodate new labeling standards, the addition of more capable data management systems, and harmonizing quality systems.
While the FDA’s focus on tracking and recall after adverse incidents was really focused on looking backward in time, UDI offers the medtech industry the ability to see around the corner. From this perspective, UDI can be an aid to price transparency, a path toward greater and more informed customer choice, and a tool to understand how their products affect patient outcomes. Tracking product use and results more accurately can even improve pricing and pay-for-performance negotiations.
Product lifecycle management technologies and tools have been around for years, and come with various levels of sophistication/complexity – from standalone product data and requirements managers to end-to-end “true” lifecycle management systems.
Most large medical device and diagnostics organizations have implemented PLM systems to at least some degree. The benefits of PLM are well-communicated even if they may not necessarily be fully realized. While MedTech companies realize the advantages of having features such as end-to-end requirements traceability, they are also aware of implementations gone wrong that create a drain on the organization’s assets.
As such, there still is much hesitation and doubt when a medtech company evaluates whether it should go down the PLM route.
But connecting the dots, looking at the changing technology landscape for medtech companies through the lenses of UDI and cybersecurity, it becomes obvious that having a solid and functional PLM solution is all the more important today and in the future.
Consider how these three aspects technology – cybersecurity, UDI and PLM – are inherently inter-related. For example, UDI can be built into requirements based on the need to ensure adequate tracking; PLM can facilitate rapid addressing of cybersecurity issues as they (inevitably) arise – by allowing end-to-end traceability and rapid deployment of changes.
Putting it all Together
Viewing it from this perspective, PLM becomes a unifying factor that ties together the disparate strands of medtech’s technology challenges. What’s needed most at this critical juncture is for the industry overall to adopt a holistic approach to addressing these historical, ongoing, and emerging challenges.
Some general principles for this include:
- •Build cybersecurity and UDI considerations as an integral part of the planning and development processes across the organization
- Evaluate the use of tools such as PLM software that can support the organization with its cybersecurity and UDI needs; However careful development of a business case that takes into consideration all factors is necessary
- Ensure cross-functional participation so that PLM does not simply become an IT driven initiative, or that cybersecurity is not simply a regulatory concern
- Design robust business processes & workflows for a selected PLM system before launching into implementation
- For PLM, use a staged implementation approach – implement core PLM modules related to design controls, document management, requirements management first. Then take on project management, detailed reporting, and similar issues
- Keep existing systems in mind, and ensure alignment where possible
Seizing the inherent power of PLM – power that is turbo-charged by the advances in technology available today -- creates a real formula to leverage technology for success.
[Photo Credit: iStockphoto.com user Talaj]
-- James S. Varelis is a Principal, PwC Health Industries, Pharmaceutical & Life Sciences sector