U.S. FDA Cybersecurity
Wise Company has successfully conducted and completed U.S. FDA and European cybersecurity guidance projects over the years. We offer the following guidance services related to these areas:
Applicable devices
- 1) Hardware medical devices including software
- 2) Software medical devices
Service area
- 1) Cybersecurity documentation
- 2) Cybersecurity testing
- 3) Interoperability risk assessment, verification, and validation
- 4) Other performance tests (e.g., network analysis and testing)
Relevant standards
- – Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
- – Postmarket Management of Cybersecurity in Medical Devices
- – AAMI TIR57:2016
- – NIST SP 800-30
- – ANSI/ISA 62443-4-1
- – Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)”
- – AAMI/UL 2900-1:201
- – IEC 810001-5-1: 2021
- – FDA eSTAR Version 5.1
What should be considered for cybersecurity documentation and testing?
As of January 8, 2024, for FDA approval of hardware medical devices with software functionality or software medical devices, documentation and testing must be conducted for all nine sections listed below, including their subsections.
- 1. Risk Management
- – Report
- – Threat Model
- – Cybersecurity Risk Assessment
- – SBOM and Related Information
- 2. Assessment of Unresolved Anomalies
- 3. Cybersecurity Metrics
- 4. Cybersecurity Controls
- – Authentication controls
- – Authorization controls
- – Cryptography controls
- – Code, data, and execution integrity controls
- – Confidentiality controls
- – Event detection and logging controls
- – Resiliency and recovery controls
- – Firmware and software update controls
- 5. Architecture Views (Architecture: A foundational diagram illustrating how the software is structured and operates.)
- 6. Cybersecurity Testing
- 7. Cybersecurity Labeling
- 8. Cybersecurity Management Plan
- 9. Interoperability
What should be considered for cybersecurity testing?
Manufacturers must provide cybersecurity testing documentation, including, but not limited to, security requirements testing, threat mitigation testing, vulnerability testing, and penetration testing. Justifications must be provided for any specific tests not performed.
The following security test documents, related reports, or evaluation materials must be submitted:
- 1) Security Requirements
- – Evidence must be provided to demonstrate the successful implementation of each design input requirement.
- – Evidence of boundary analysis and justification for boundary assumptions must be provided.
- *Boundary Analysis: The process of defining and analyzing cybersecurity boundaries (the physical and logical boundaries between the medical device and the systems or networks it interacts with).
- *Boundary Assumptions: Assumptions established in relation to cybersecurity design, such as network security, operational environment safety, and user security-related behavior.
- 2) Threat Mitigation
- – Testing evidence must demonstrate effective risk control measures according to the threat model provided by global systems, including multi-patient harm, update and patch capabilities, and secure use-case views.
- – The adequacy of each cybersecurity risk control must be ensured. For example, where applicable, this includes enforcing designated security policies, performance under maximum traffic conditions, stability, and reliability.
- 3) Vulnerability Testing (e.g., Section 9.4 of ANSI/ISA 62443-4-1)
- – Detailed information and evidence regarding various tests and analyses must be provided. These tests include abuse or misuse cases, incorrect and unexpected inputs, robustness, fuzz testing, attack surface analysis, vulnerability chaining, closed testing for known vulnerabilities, software composition analysis of binary executables, and static and dynamic code analysis.
- 4) Penetration Testing
- – Testing must focus on identifying and characterizing security-related issues by uncovering and exploiting the product’s security vulnerabilities.
- – Test reports must include details such as the independence and technical expertise of the tester, scope of testing, test duration, methods used, results, findings, and observations.
- – Reports must specify the level of independence the tester has from the device’s design team, whether internal or external testers were used, and may require the involvement of a third party to ensure independence.
- – In all tests, manufacturers must provide evaluations of findings (e.g., vulnerabilities and anomalies) and include justification for not addressing certain findings or deferring them to future releases.
For inquiries regarding medical device cybersecurity, please contact us.