Comply with medical regulatory smarter.

Save money and effort on certifications with integrated systems.
Scalable solutions - for MedTech startups and corporations.

Scalable solutions – for MedTech startups and corporations.

TopEase® Digital Health Regulatory Suite

Challenge:  Escalating costs due to EU MDR introduction, quality management according to ISO 13485, risk management according to ISO 14971, ISMS according to ISO 27001 incl. SOA and Annex A Controls

The medical industry faces one of the biggest upheavals in its history, not just because of Covid-19. Digitization enables new forms of disease prevention, early disease detection, and digital treatment and digital disease follow-up. This is done through innovations in the clinics, with the doctors, but also through new digital applications directly with the patient – the digital health applications (DiGa), digital care applications (DiPa), or further applications via individual selective contracts with health insurance companies.

Providers, whether small startups or large corporations, all face the same challenge of certifying their products: Implementation of the MDR (Medical Device Regulation) of the EU by 2026, provided that the MDD (Medical Device Directive) has already been certified. Otherwise, certification must be performed directly following the MDR. The MDR requires providers to have complete quality and risk management following ISO 13485 and ISO 14971 and does not differentiate in scope based on company size or financial strength. This leads to duplication and inefficiency with traditional approaches in quality and risk management without networked and integrated systems – especially highly complex process landscapes created manually, e.g. in word processing tools, can be difficult to control and evaluate. Aligning internal control systems (ICS), risk management with relevant processes and products, assessing critical assets for ISMS implementation poses significant challenges to the organization.

Our efficient solution: Digital Health Regulatory Suite

We have put together a Regulatory Suite for Digital Health through our experience in critical infrastructure. The Digital Health Regulatory Suite can be used in both startups and corporations and includes the essential disciplines required for medical technology companies: Quality and Process Management, Risk Management, Information Security Management (ISMS), Asset Management and Control Management. The solutions can be integrated with other TopEase® products on the TopEase® platform and customized. For example, risk management processes according to ISO 14971 can be implemented using the existing corporate structures and current release workflows and existing risk classification and taxonomy. The platform intelligently networks information and presents it in real-time dashboards. Information control and 100% traceability of workflows make document control a thing of the past.

Information Security Management - ISO 27001 incl. SOA

ISO 27001 toolkit for automation of the SoA and Annex A

Information Security Management (ISMS) does not have to be complicated! With our conditional SoA (Statement of Applicability) solution, we have developed a highly efficient and highly automated tool that assigns all relevant controls of ISO 27001 Annex A to the respective assets based on their characteristics. This way, you can easily identify which controls need to be applied and check the application in automated assessments. Our SoA tool not only supports you in identifying the necessary controls but also comes with suggestions for concrete measures that you can implement. The implementation of the measures can be easily tracked in an automatically created Gantt chart, and the measures can be assigned to individual responsible persons. In addition, you can record all information security-relevant risks in TopEase® – and link them to assets and measures.

The dashboard provides you with the current status of the ISMS in real-time, so you no longer have to burden your organization with manual reports. In addition, you save massively on ISO 27001 consulting costs. The implementation effort and the implementation costs are significantly lower than with manual solutions – thanks to the traceability, which we use in the same way as our solutions in CRITIS and BSI basic protection, all processes are transparently stored in the system and can be called up during audits.

Definition of the asset characteristics for the SOA

Set asset properties based on predefined categories. We can predefine the categories, or you can build your own category/control catalogue. The catalogue can be dynamically expanded or modified to add new versions of ISO 27001 or basic IT protection.

Automated assignment of Annex A controls

Based on the asset properties, all necessary controls are assigned to the asset. The manual effort to evaluate the ISO 27001 questionnaire on an asset basis and the manual transfer into Excel tables are completely eliminated.

Assessment of the control implementation

Each control in ISO 27001 Annex A is checked for implementation – broken down into documentation, control effectiveness and implementation status. In addition, other categories such as Design Effectiveness can be configured, or more questions can be added. Each question can be backed up with evidence or further measure.

Identification of ISMS risks

Identified risks can be assessed and provided with minimization measures. In addition to the current risk rating, the risk target to be achieved by the measures can be defined.

After the measures have been processed, the remaining risk (residual risk) can be reassessed and rereleased. All processes are 100% workflow-supported and transparently documented.

Medical risk management

Risk register and graphical representation in dashboards

Quick overview and detailed reporting of which risks exist. Automatic prioritization and trend detection for risks. Free definition of the risk matrix (e.g. 4×4, 5×5) and description of the Risk Probability and Severity.

Presentation of risk development according to ISO 14971

Graphical representation per risk of how the risk is to be developed in terms of probability and severity. Release of the risk via workflow. Full traceability of risk assessment and verification via historicization function.

Set, implement and track measures based on identified risks

Complete planning of all measures to minimize risks. Measures are assigned to the relevant risks, and the effectiveness of the measure can be evaluated via renewed risk assessment.

Risk 1 Mitigation 50%
Risk 2 Mitigation 64%
Risk 3 Mitigation 57%
Risk 4 Mitigation 22%
Easily recognize implementation status of measures

Individual progress displays and customizing possible. Live dashboard for a quick overview of the implementation of measures.

Automated reports

Quick overview through automated reports. Standard reports out-of-the-box as well as own individual reports possible. Reports can also be generated, for example, as part of approval workflows.

      • Sales process
      • Product development process
      • CAPA process
      • Software platform
      • SW Component 1
      • Medical Device 1
      • Data availability
      • Data integrity
      • Data stream delay
Intelligent networking of information

Fully link risks to measures, processes, assets, and controls. In addition, assignment of, e.g. threats and events possible.

Medical process and quality management

Core features in the area of process and quality management
  1. Easy recording of processes, linking with controls, assets and risks possible

  2. Simple governance of processes, implementation of responsibilities and control of roles & rights, e.g. via Active Directory

  3. Workflow-based release of processes and work instructions / standard operating procedures

  4. Information control instead of document control for traceability of all changes and release statuses

  5. Export of all information, such as standard process descriptions as PDFs

Aggregation & Dashboards

Representation of process maps and process houses. Complete graphical navigation via process graphics is possible.

Display of the supplier structure by country to be able to quickly optimize the supply chain in the event of export restrictions, for example.

Aggregated display of current process statuses (number of releases, released processes, revision, etc.).

Templates & sample processes

Existing templates on risk management and, e.g. Capacity processes.

Reporting templates, e.g. for work instructions or SIPOC reports.

Reporting templates, e.g. for work instructions or SIPOC reports.

Data protection Risk management and measures management

Recording and implementation of technical and organizational measures of the GDPR

Privacy management is a key element in digital health solutions. The service provider must ensure data protection-friendly processing of patient data (see Art. 25 GDPR). In addition, personal data must be collected following the principle of data economy, and appropriate technical and organizational measures must be taken to implement processing security and data economy. For more and more use cases, such as in telemedicine with KBV Annex 31b, the regulator provides for data protection audits or data protection certifications.

The Digital Health Regulatory Suite supports the data protection process holistically by, for example, recording and processing the risks from the data protection impact assessments (DSFA) and measures. All measures are clearly assigned to responsible persons, described and evaluated following the specifications, and the implementation is then controlled via an approval workflow.

A risk register allows all data protection risks to be viewed at a glance, while automatic filtering and ranking help users identify the most critical data protection risks.

Recording and implementation of technical and organizational measures according to Art. 24 par. 1 and 2 Basic Data Protection Regulation

The implementation of Article 24 para. 1 GDPR requires an assessment of the severity of the risks for the rights of freedom and an assessment of the likelihood of the risks occurring.

Transparency in approval of data protection risks and implementation of data protection measures through built-in workflow engine

With the Digital Health Regulatory Suite, a systematic assessment of data protection risks is carried out in accordance with Article 32 par. 2 DSGVO. This concerns, in particular, the data protection risks of processing. Through workflow control, the procedure outlined in Article 31 para. 1 GDPR ensures the regular review, assessment and evaluation of data protection risks and technical and organizational data protection measures.

Use-Cases of the Digital Health Regulatory Suite

Hospitals
Implementation of quality and information security management (QMS + ISMS)

Due to regulatory changes such as the Hospital Future Act (KHZG) and the Patient Data Protection Act (PDSG), IT security requirements and patient data protection are changing for hospitals. In addition to introducing an ISMS solution, this often requires introducing a process and quality management system to document the relevant core processes. In addition, we recommend introducing an internal control system (ICS) for the digital documentation and implementation of the regulatory required and operationally required controls within the processes.

Digital health applications (DiGa / DiPa)
Obtaining medical device certification as a basis for DiGa & DiPa

The introduction of digital health apps (DiGa) and digital care apps (DiPa) makes it possible for the first time to include apps in the standard care provided by statutory health insurers. For this purpose, the legislator requires implementing quality, risk and information security management via the medical device certification. We offer tailor-made solutions, especially for startups, which support the necessary regulatory documentation in a software-based way and grow with the company. Our approach of software-supported documentation avoids duplication of work and high follow-up costs in further certification through the intelligent networking of all relevant information. Depending on the startup phase, the solution can be adapted to the needs and grows with the company.

Medical Device Manufacturer
Standardization and digitization of management systems to increase efficiency

Manufacturers of certified medical devices already have certified processes and procedures in place. Here, the challenge is often redundant systems and information, sometimes distributed across multiple locations worldwide. There are also extensive supply chains, internal and external control systems, and various products and product components. With the TopEase® platform, we offer customized solutions that can be integrated into the existing application landscape via interfaces to create efficiencies as quickly as possible, e.g. in the area of process and supply chain management, through a uniform database. The multi-client capability ensures that the solutions can be used worldwide.

Telemedicine providers according to Annex 31b KBV
Implementation of data protection and information security in telemedicine

Telemedicine providers are required to implement data protection and information security in accordance with Annex 31b KBV. Telemedicine providers are required to implement data protection and information security in accordance with Annex 31b KBV. To obtain accreditation and pass the test by certified testing institutes, it is mandatory to implement technical and organizational measures in data protection and information security, among other things. In addition, the Digital Health Regulatory Suite supports the management of all privacy risks and information security risks. Verification documents can be easily generated as PDFs and submitted to certification institutions.

Customer Journey

Step 1 Get-to-know
Vorstellung der Kundenchallenge

Erstes kennenlernen und Gewinnung Verständnis der Problemstellung. Kurzvorstellung der TopEase®-Plattform.

Step 2 Analysis
Analyse des Problemstellung

Analyse der Ist-Situation anhand der individuellen Finanzierungs- und Produktsituation. Leaner Ansatz,  Fragestellungen z.B. bzgl. Produktroadmap (Planung DiGa / DiPa) und größter Handlungsbedarfe im regulatorischen Umfeld (Quick-Check Compliance), Ausarbeitung der Handlungsbedarfe, Einbeziehung von Best-Practices. 

Step 3 Solutioning
Lösungsvorschlag mit Digital Health Regulatory Suite

Erstellung kundenorientierter Lösungsvorschlag: Einführung von einzelnen Solutions der Digital Health Regulatory Suite anhand der Kundenbedürfnisse, Integration in die bestehende Landschaft, Betrachtung von Kosten/Nutzen. Erstellung einer Umsetzungstimeline anhand der regulatorischen Erfordernisse. 

Step 4 Implementation
Implementierung Digital Health Regulatory Suite

Auslieferung vorkonfigurierter Solutions z.B. für das Qualitätsmanagement. Weitere Unterstützungen der Implementierung, z.B. bei der Aufnahme und Dokumentation von Prozessen sowie der relevanten Kontrollen. Weitere Integration in die Systemlandschaft, z.B. durch Anschluss einer bestehenden CMDB Lösung. 

Step 5 Regulatory Support
Weitere Zeritifzierungsunterstützung

Wir unterstützen unsere Kunden nicht nur durch weiteres Customizing und Konfiguration der Softwarelösungen, sondern auch operativ im Bereich der für die Zertifizierung notwendigen Tätigkeiten. Der Kundenvorteil besteht in unserem Expertenwissen im Bereich leaner Prozessgestaltung, End-to-End Prozessketten und Wertschöpfungsflüsse, Supplier-Management oder Informationssicherheit in der kritischen Infrastruktur. 

Insights