ASG’s Doug Koeneman on Interoperability and Cybersecurity

Essential pillars for a secure and connected health care future

Interoperability refers to the ability of different systems and devices to exchange and use information effectively. In the context of health care, it involves the flow of information between various health care systems, electronic health records, medical devices and other health care stakeholders.

It refers to the combination of smart devices with unique capabilities that, when combined, provide new or increased functionality. In the context of a smart medical device, it involves a defined flow of data and information to support decisions, including defined responses to specific conditions.

ASG Co- Founder, Principal and Senior Consultant Doug Koeneman is interested in the new guidance on interoperability within the regulatory space. “The FDA has been active over the last couple of years, providing new guidance that we need to pay attention to,” he said. “We need to integrate these thought processes to ensure that current practices for cybersecurity are integral to the design process for interoperable devices.”

Koeneman also noted that CFRs (Code of Federal Regulations) will evolve based upon new guidance. Current guidance includes specific topics around interoperability as well as cybersecurity and cyber behaviors.

The intersection of cybersecurity

Most of us know that cybersecurity, the practice of protecting computer systems, networks and data from unauthorized access, theft or damage, involves implementing measures and technologies to prevent and detect potential cyber threats such as hacking, data breaches and malware attacks.

Cybersecurity guidance helps us stay safe online. It gives us tips on how to protect our personal information, like passwords and credit card details. It also teaches us to avoid clicking on suspicious links or downloading unknown files. Good cyber behavior means being cautious and respectful online. Just as there are norms and etiquette in face-to-face interactions, there are guidelines for appropriate behavior online. Doing this effectively translates directly into confidence among users.

These systems and how they work together can have an impact on medical device manufacturers as well as patient care.

“Interoperability is all about how people interact with devices and how those devices interact with the system,” Koeneman said. “There’s a need to create a control loop to protect caregivers and manufacturers while ensuring data and information are reliable. This is accomplished through good design.”

Understanding medical device classifications

A federal risk-based classification system categorizes medical devices into one of three regulatory classes: Class I, Class II and Class III. These classifications are determined by the degree of control required to ensure the safety and effectiveness of each device.

The regulatory controls for each device class include:

  • Class I (low to moderate risk): general controls
  • Class II (moderate to high risk): general controls and Special Controls
  • Class III (high risk): general controls and Premarket Approval (PMA)

“These new interoperable systems can include a combination of Class I, II and III devices in the same system. This can increase the complexity in design and in navigating approaches to regulatory applications,” Koeneman said.

Cybersecurity and mobile devices

The emergence of mobile devices, such as smartphones and wearable health technology, has significantly impacted the health care industry. These devices have the potential to empower individuals to take charge of their health, provide real-time health data and offer novel ways for health care providers or caregivers to monitor patients remotely. However, their rapid development has also posed regulatory challenges.

To adapt to this changing landscape, the FDA has issued guidance on the regulation of mobile medical apps. While many mobile apps are intended for general wellness, such as fitness tracking apps, others have more significant health implications, like apps that offer clinical decision support. The FDA distinguishes between these categories, focusing its regulatory oversight on apps that are medical devices and pose higher risks.

“What gets classified as a mobile device keeps changing,” Koeneman said.


At ASG, we keep track of these changes. We try to stay ahead of the curve when it comes to FDA guidance and regulation. Learn more about our approach on our Services page.