3 Things to Consider When Using Off-the Shelf Software

Arundhati Parmar

It's cheaper and more efficient for medical device makers to use off-the-shelf commercial software in medical applications. While that is perfectly acceptable, there are a few things one needs to keep in mind, advised Shawn Sanders, senior project manager, Solekai Systems, a software development company in San Diego, especially consider FDA requirements.

Software of unknown provenance, or SOUP, is any code (be it tools or source code) that doesn't have formal documentation or was developed by a third party. As such there is a lack of evidence as to the controls on the development process. This means that it is incumbent on the medical device maker to confirm what the manufacturer's processes are.

"Even though these commercial off-the-shelf software have minimum requirements for how their components work or how their software works, it is still dependent upon the medical device manufacturer in order to confirm that not only does it work but it works within their environment," Sanders said.

[Learn about "Meeting Expanded FDA Requirements for Networked Medical Devices Containing Off- the-Shelf Software," the topic that Sanders will address in his presentation at the MD&M West Conference, Feb. 9-11 at the Anaheim Convention Center, California.]

Next medical device makers need to understand the patching process in case protected health information is compromised. 

"As you are aware, software is never done, it’s never perfect. It’s constantly evolving, improving and being updated. But one of the things that you have to be concerned about especially with the new guidance under the Affordable Care Act is what is the policies and procedures for when a vulnerability is detected or error detected that could have potentially exposed people’s protected health information," Sanders explained.

If device makers don't have an adequate patching process, they may be forced to take a device connected to the software off the market and then replace with another piece of off-the-shelf commercial software.

Another thing to keep in mind when using commercial software that is not necessarily developed exclusively for use in medical environments is knowing how the data is being stored. Sanders explained that even a decade or so ago, the regulations surrounding data security and encryption related to more to data transfer. Now the regulations have been updated to require that even data at rest - in other words, data residing somewhere that is not being transferred - needs to be encrypted.

"Now your data repository also has to be fully encrypted," Sanders pointed out. "That’s a pretty big change. It’s a lot of heavy lifting. It's an expensive process but it needs to be done."

Sanders also had one final piece of advice: Always be testing.

Arundhati Parmar is senior editor at MD+DI. Reach her at [email protected] and on Twitter @aparmarbb