If you are producing medical software for the European market, you are probably aware of the impending EU Medical Device Regulation (MDR). One of the key changes of MDR is that a lot of health-related software (especially remote monitoring systems) that was previously not considered a medical device, will now be required to comply with medical device regulation. Furthermore, a Quality Management System (QMS) will now be required even for Class I devices. Producing medical-grade software requires carefully controlled processes, extensive verification, validation and risk management activities, and regulatory approvals. This poses a dilemma especially for teams producing cloud software, where use of DevOps practices is becoming a requirement for staying competitive.
DevOps is an agile way of working that removes the traditional barrier between development, quality assurance and operations to deliver much faster turn-around times. It shortens the feedback loop between developers and users. Signature DevOps practices are continuous integration, where new software modifications are immediately integrated to the main codebase and a new build is automatically produced and tested, and continuous delivery, where a working build can be deployed to production at any time.
If you have been working with security, you have probably also heard of DevSecOps (aka SecDevOps). The point of DevSecOps is to include security as a fundamental aspect in all stages of software development. This is also known as “shifting security to the left“, i.e. instead of security work being done mostly at the latter stages of software development (e.g. by doing security audits and fixing problems as they appear), you integrate security as early as possible. Also, where DevOps merges the roles of development, quality assurance, and operations, DevSecOps further throws the role of the security professional into the melting pot. Medical software cannot be safe if it is not secure, so using DevSecOps is a natural step if you want to use DevOps for medical software.
MedDevOps, then, is the practice of taking DevSecOps one step further and integrating also medical device compliance into the DevOps way of working, in addition to security. The integration works in much the same way as DevSecOps integrates security. Compliance in this context means complying not only with medical device regulation and standards, but also with applicable health and privacy regulation such as HIPAA, GDPR, and various national medical record regulations. As you can imagine, combining DevOps practices with these compliance requirements is an interesting challenge.