Digital Health Regulatory Suite - ThiemeBieg & Associates - Medical Technology

Comply with medical regulatory smarter.

Save money and effort on certifications with integrated systems.
Scalable solutions - for MedTech startups and corporations.

Scalable solutions – for MedTech startups and corporations.

TopEase® Digital Health Regulatory Suite

Challenge: Escalating costs due to EU MDR introduction, quality management according to ISO 13485, risk management according to ISO 14971, ISMS according to ISO 27001 incl. SOA and Annex A Controls

The medical industry is facing one of the biggest upheavals in its history, and not just because of Covid-19. Digitization enables new forms of disease prevention, early disease detection as well as digital treatment and digital disease follow-up. This is done through innovations in the clinics, with the doctors, but also through new digital applications directly with the patient – the digital health applications (DiGa), digital care applications (DiPa), or further applications via individual selective contracts with health insurance companies.

Providers, whether small startups or large corporations, all face the same challenge of certifying their products: Implementation of the MDR (Medical Device Regulation) of the EU by 2026, provided that the MDD (Medical Device Directive) has already been certified. Otherwise, certification must be performed directly in accordance with the MDR. The MDR requires providers to have complete quality and risk management in accordance with ISO 13485 and ISO 14971, and does not differentiate in scope based on company size or financial strength. This leads to duplication and inefficiency with traditional approaches in quality and risk management without networked and integrated systems – especially highly complex process landscapes which are created manually, e.g. in word processing tools, can be difficult to control and evaluate. Aligning internal control systems (ICS), risk management with relevant processes and products, assessing critical assets for ISMS implementation poses significant challenges to the organization.

Our efficient solution: Digital Health Regulatory Suite

We have put together a Regulatory Suite for Digital Health through our experience in critical infrastructure. The Digital Health Regulatory Suite can be used in both startups and corporations, and includes the essential disciplines required for medical technology companies: Quality and Process Management, Risk Management, Information Security Management (ISMS), Asset Management and Control Management. The solutions can be integrated with other TopEase® products on the TopEase® platform and customized. For example, the implementation of risk management processes according to ISO 14971 can be implemented using the existing corporate structures and current release workflows and existing risk classification and taxonomy. The platform intelligently networks information, and presents it in real-time dashboards. Information control and 100% traceability of workflows make document control a thing of the past.

Information Security Management - ISO 27001 incl. SOA

ISO 27001 toolkit for automation of the SoA and Annex A

Information Security Management (ISMS) does not have to be complicated! With our conditional SoA (Statement of Applicability) solution, we have developed a highly efficient and highly automated tool that assigns all relevant controls of ISO 27001 Annex A to the respective assets based on their characteristics. This way you can easily identify which controls need to be applied and check the application in automated assessments. Our SoA tool not only supports you in identifying the necessary controls, but already comes with suggestions for concrete measures that you can take over into implementation. The implementation of the measures can be easily tracked in an automatically created Gantt chart, and the measures can be assigned to individual responsible persons. In addition, you can record all information security-relevant risks in TopEase® – and also link them to assets and measures.

The dashboard provides you with the current status of the ISMS in real time, so you no longer have to burden your organization with manual reports. In addition, you save massively on ISO 27001 consulting costs. In addition, you save massively on ISO 27001 consulting costs.

Definition of the asset characteristics for the SoA

Set asset properties based on predefined categories. The categories can be predefined by us, or you can build your own category / control catalog. The catalog can be dynamically expanded or modified to add new versions of ISO 27001 or basic IT protection.

Automated assignment of Annex A controls

Based on the asset properties, all necessary controls are assigned to the asset. The manual effort for evaluating the ISO 27001 questionnaire on an asset basis as well as the manual transfer into Excel tables is completely eliminated.

Assessment of the control implementation

Each control in ISO 27001 Annex A is checked for implementation – broken down into documentation, control effectiveness and implementation status. In addition, other categories such as Design Effectiveness can be configured, or more questions can be added. Each question can be backed up with evidence or further measure.

Identification of ISMS risks

Identified risks can be assessed and provided with minimization measures. In addition to the current risk rating, the risk target to be achieved by the measures can be defined.

After the measures have been processed, the remaining risk (residual risk) can be reassessed and released again. All processes are 100% workflow-supported and transparently documented.

Medical risk management

Risk register and graphical representation in dashboards

Quick overview and detailed reporting of which risks exist. Automatic prioritization and trend detection for risks. Free definition of the risk matrix (e.g. 4×4, 5×5) and description of the Risk Probability and Risk Severity.

Presentation of risk development according to ISO 14971

Graphical representation per risk of how the risk is to be developed in terms of probability and severity. Release of the risk via workflow. Full traceability of risk assessment and verification via historization function.

Set, implement and track measures based on identified risks

Complete planning of all measures to minimize risks. Measures are assigned to the relevant risks, and the effectiveness of the measure can be evaluated via renewed risk assessment.

Risk 1 Mitigation 50%

Risk 2 Mitigation 64%

Risk 3 Mitigation 57%

Risk 4 Mitigation 22%

Easily recognize implementation status of measures

Individual progress displays and customizing possible. Live dashboard for a quick overview of the implementation of measures.

Automated reports

Quick overview through automated reports. Standard reports out-of-the-box as well as own individual reports possible. Reports can also be generated, for example, as part of approval workflows.

Processes

- - Sales process
  - Product development process
  - CAPA process

Assets

- - Software platform
  - SW Component 1
  - Medical Device 1

Threats

- - Data availability
  - Data integrity
  - Data stream delay

Intelligent networking of information

Fully link risks to measures, processes, assets, and controls. In addition, assignment of e.g. threats and events possible.

Medical process and quality management

Core features in the area of process and quality management

Easy recording of processes, linking with controls, assets and risks possible
Simple governance of processes, implementation of responsibilities and control of roles & rights e.g. via Active Directory
Workflow-based release of processes and work instructions / standard operating procedures
Information control instead of document control for traceability of all changes and release statuses
Export of all information, such as standard process descriptions as PDFs

Aggregation & Dashboards

Representation of process maps and process houses. Complete graphical navigation via process graphics possible.

Display of the supplier structure by country in order to be able to quickly optimize the supply chain in the event of export restrictions, for example.

Aggregated display of current process statuses (number of processes in release, released processes, processes in revision, etc.).

Templates & sample processes

Existing templates on risk management and e.g. Capa processes.

Reporting templates e.g. for work instructions or SIPOC reports.

Data protection Risk management and measures management

Recording and implementation of technical and organizational measures of the GDPR

Privacy management is a key element in digital health solutions. The service provider must ensure data protection-friendly processing of patient data (see Art. 25 GDPR). In addition, personal data must be collected in accordance with the principle of data economy, and appropriate technical and organizational measures must be taken to implement processing security and data economy. For more and more use cases, such as in telemedicine with KBV Annex 31b, the regulator provides for data protection audits or data protection certifications.

The Digital Health Regulatory Suite supports the data protection process holistically by, for example, recording and processing the risks from the data protection impact assessments (DSFA) and measures. All measures are clearly assigned to responsible persons, described and evaluated in accordance with the specifications, and the implementation is then controlled via an approval workflow.

A risk register allows all data protection risks to be viewed at a glance, while automatic filtering and ranking helps users identify the most important and critical data protection risks.

Recording and implementation of technical and organizational measures according to Art. 24 par. 1 and 2 Basic Data Protection Regulation

The implementation of Article 24 para. 1 GDPR requires the assessment of the severity of the risks to the rights of freedom as well as the assessment of the likelihood of the risks occurring.

Transparency in approval of data protection risks and implementation of data protection measures through built-in workflow engine

With the Digital Health Regulatory Suite, a systematic assessment of data protection risks is carried out in accordance with. Art. 32 par. 2 GDPR. This concerns in particular the data protection risks of processing. Through workflow control, the procedure set forth in Article 31 para. 1 GDPR ensures the regular review, assessment and evaluation of data protection risks and technical and organizational data protection measures.

Use-Cases of the Digital Health Regulatory Suite

Hospitals

Implementation of quality and information security management (QMS + ISMS)

Due to regulatory changes such as the Hospital Future Act (KHZG) and the Patient Data Protection Act (PDSG), the requirements for IT security and the protection of patient data are changing for hospitals. In addition to the introduction of an ISMS solution, this often requires the introduction of a process and quality management system to document the relevant core processes. In addition, we recommend the introduction of an internal control system (ICS) for the digital documentation and implementation of the regulatory required and operationally required controls within the processes.

Digital health applications (DiGa / DiPa)

Obtaining medical device certification as a basis for DiGa & DiPa

The introduction of digital health apps (DiGa) and digital care apps (DiPa) makes it possible for the first time to include apps in the standard care provided by statutory health insurers. For this purpose, the legislator requires the implementation of a quality, risk and information security management via the medical device certification. We offer tailor-made solutions, especially for startups, which support the necessary regulatory documentation in a software-based way and grow with the company. Our approach of software-supported documentation avoids duplication of work and high follow-up costs in further certification through intelligent networking of all relevant information. Depending on the phase of the startup, the solution can be adapted to the needs and grows with the company.

Medical Device Manufacturer

Standardization and digitization of management systems to increase efficiency

Manufacturers of certified medical devices already have certified processes and procedures in place. Here, the challenge is often redundant systems and information, sometimes distributed across multiple locations worldwide. There are also extensive supply chains, internal and external control systems, and a variety of products and product components. With the TopEase® platform, we offer customized solutions which can be integrated into the existing application landscape via interfaces in order to create efficiencies as quickly as possible, e.g. in the area of process and supply chain management, through a uniform database. The multi-client capability ensures that the solutions can be used worldwide.

Telemedicine providers according to Annex 31b KBV

Implementation of data protection and information security in telemedicine

Telemedicine providers are required to implement data protection and information security in accordance with Annex 31b KBV. Telemedicine providers are required to implement data protection and information security in accordance with Annex 31b KBV. In order to obtain accreditation and pass the test by certified testing institutes, it is mandatory to implement technical and organizational measures in the area of data protection and information security, among other things. In addition, the Digital Health Regulatory Suite supports the management of all privacy risks and information security risks. Verification documents can be easily generated as PDFs and submitted to certification institutions.

Customer Journey

Step 1

Get-to-know

Vorstellung der Kundenchallenge

Erstes kennenlernen und Gewinnung Verständnis der Problemstellung. Kurzvorstellung der TopEase®-Plattform.

Step 2

Analysis

Analyse des Problemstellung

Analyse der Ist-Situation anhand der individuellen Finanzierungs- und Produktsituation. Leaner Ansatz, Fragestellungen z.B. bzgl. Produktroadmap (Planung DiGa / DiPa) und größter Handlungsbedarfe im regulatorischen Umfeld (Quick-Check Compliance), Ausarbeitung der Handlungsbedarfe, Einbeziehung von Best-Practices.

Step 3

Solutioning

Lösungsvorschlag mit Digital Health Regulatory Suite

Erstellung kundenorientierter Lösungsvorschlag: Einführung von einzelnen Solutions der Digital Health Regulatory Suite anhand der Kundenbedürfnisse, Integration in die bestehende Landschaft, Betrachtung von Kosten/Nutzen. Erstellung einer Umsetzungstimeline anhand der regulatorischen Erfordernisse.

Step 4

Implementation

Implementierung Digital Health Regulatory Suite

Auslieferung vorkonfigurierter Solutions z.B. für das Qualitätsmanagement. Weitere Unterstützungen der Implementierung, z.B. bei der Aufnahme und Dokumentation von Prozessen sowie der relevanten Kontrollen. Weitere Integration in die Systemlandschaft, z.B. durch Anschluss einer bestehenden CMDB Lösung.

Step 5

Regulatory Support

Weitere Zeritifzierungsunterstützung

Wir unterstützen unsere Kunden nicht nur durch weiteres Customizing und Konfiguration der Softwarelösungen, sondern auch operativ im Bereich der für die Zertifizierung notwendigen Tätigkeiten. Der Kundenvorteil besteht in unserem Expertenwissen im Bereich leaner Prozessgestaltung, End-to-End Prozessketten und Wertschöpfungsflüsse, Supplier-Management oder Informationssicherheit in der kritischen Infrastruktur.

Insights

BAIT

Efficiency instead of Excel – automatisation within information security

Efficiency instead of Excel – automatisation within information security Modern cybersecurity requires automated and integrated management systems. In cybersecurity, information security / IT security, or basic IT protection, Excel is often the tool of choice – generally usable, and guidelines such as ISO 27001 Appendix A can be displayed quickly. But in times of complex and rapidly changing relationships, new

Patrick Bieg 26. August 2021 No Comments