Regulatory Open Forum

Hello,

I'm looking to connect with someone who has recently submitted a 510(k) for a class II SaMD. Specifically, I would like to know what security testing was submitted or requested. I am familiar with the list provided in the FDA Cybersecurity Guidance and other guidance documents from working groups, but would greatly benefit from practical advice. There seems to be a general consensus on the testing required (pen testing, static code review, dynamic code review, vulnerability analysis), but I would like to know if this holds up in practice. 

Thanks in advance!

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

(It was available if asked,  but FDA didn't ask - they focused instead on ML algorithms ).


------------------------------
Ginger Cantor, MBA, RAC
Founder/Principal Consultant
Centaur Consulting LLC
River Falls, Wisconsin 54022 USA
715-307-1850
centaurconsultingllc@gmail.com
------------------------------

Original Message:
Sent: 29-Oct-2020 16:53
From: Breanne Cuddington
Subject: SaMD 510(k)

Hello,

I'm looking to connect with someone who has recently submitted a 510(k) for a class II SaMD. Specifically, I would like to know what security testing was submitted or requested. I am familiar with the list provided in the FDA Cybersecurity Guidance and other guidance documents from working groups, but would greatly benefit from practical advice. There seems to be a general consensus on the testing required (pen testing, static code review, dynamic code review, vulnerability analysis), but I would like to know if this holds up in practice.

Thanks in advance!

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

This message was posted by a user wishing to remain anonymous

I have just answered the questions in the 2014 Premarket guidance. It was about 4 pages. I DID include the threat analysis as an additional document, but not include any of the test reports, only mention in the answers to the 5 questions that it had been done. That
Original Message:
Sent: 30-Oct-2020 07:14
From: Ginger Cantor
Subject: SaMD 510(k)

I just received a clearance earlier this month for a companion SaMD (part of a system). I included a summary of Cybersecurity risks and risk mitigation, and all the other software docs for Moderate Level of Concern, BUT was not asked to provide evidence of results of testing cybersecurity or software BOM. I did not reference the draft cyber guidance of 2018 since the Final guidance from 2014 of the same title is still active and has not been superceded.

(It was available if asked,  but FDA didn't ask - they focused instead on ML algorithms ).


------------------------------
Ginger Cantor, MBA, RAC
Founder/Principal Consultant
Centaur Consulting LLC
River Falls, Wisconsin 54022 USA
715-307-1850
centaurconsultingllc@gmail.com

Original Message:
Sent: 29-Oct-2020 16:53
From: Breanne Cuddington
Subject: SaMD 510(k)

Hello,

I'm looking to connect with someone who has recently submitted a 510(k) for a class II SaMD. Specifically, I would like to know what security testing was submitted or requested. I am familiar with the list provided in the FDA Cybersecurity Guidance and other guidance documents from working groups, but would greatly benefit from practical advice. There seems to be a general consensus on the testing required (pen testing, static code review, dynamic code review, vulnerability analysis), but I would like to know if this holds up in practice.

Thanks in advance!

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

Hi Breanne,

 

Below is a summary of cybersecurity testing that should be considered for the software; however, as Ginger pointed out, what you may be asked for during the 510k review is heavily dependent on the type of device and the reviewer.  Regardless, these are standard best practices for good cybersecurity.  Let me know if you need any guidance on tools or vendors to help accomplish this:

 

• Applicable for Software Only
• Static Application Security Testing (SAST) – automated scanning of source code or binary files for software vulnerabilities
• Software Composition Analysis (SCA) – automated tooling that identifies a products software bill of materials, including software components and libraries and compares the list against known vulnerabilities (e.g. NIST Vulnerability Database)
• Web Application Security Testing (if the software has a web interface) – automated or manual testing of a web application for vulnerabilities
• Penetration Testing – also called ethical hacking, the practice performing automated and manual testing against a product, looking for risks and vulnerabilities that can lead to compromise of the product and/or components within the product

 

• Additional testing to consider, based on the design and scope (these tests are typically for physical product, rather then standalone software):
• Vulnerability Scanning – authenticated or unauthenticated vulnerability scanning against a product, which can identify open ports on the system, protocols and known vulnerabilities
• Fuzz Testing – a form of testing that inputs larges amounts of random data to identify coding errors or security loopholes

------------------------------
Colin Morgan, CISSP, CISM, GPEN
Managing Director
colinmorgan@apraciti.com

Apraciti, LLC | Medical Device Cyberescurity

United States
------------------------------

Original Message:
Sent: 29-Oct-2020 16:53
From: Breanne Cuddington
Subject: SaMD 510(k)

Hello,

I'm looking to connect with someone who has recently submitted a 510(k) for a class II SaMD. Specifically, I would like to know what security testing was submitted or requested. I am familiar with the list provided in the FDA Cybersecurity Guidance and other guidance documents from working groups, but would greatly benefit from practical advice. There seems to be a general consensus on the testing required (pen testing, static code review, dynamic code review, vulnerability analysis), but I would like to know if this holds up in practice.

Thanks in advance!

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

In addition to what is mentioned, FDA asked on our submission for

• Clear explanations with screenshots of application UI
• Cybersecurity Labels - Needs and actions for end-users to prevent compromised software in IFU
• Actions taken prior to release to protect against cyber attacks
• Future updates/patches available to prevent cyber attacks to units in field

------------------------------
Edward Panek
VP, QA/RA
Med Device
Research into Neural Nets - https://www.twitch.tv/edosani
------------------------------

Original Message:
Sent: 29-Oct-2020 16:53
From: Breanne Cuddington
Subject: SaMD 510(k)

Hello,

I'm looking to connect with someone who has recently submitted a 510(k) for a class II SaMD. Specifically, I would like to know what security testing was submitted or requested. I am familiar with the list provided in the FDA Cybersecurity Guidance and other guidance documents from working groups, but would greatly benefit from practical advice. There seems to be a general consensus on the testing required (pen testing, static code review, dynamic code review, vulnerability analysis), but I would like to know if this holds up in practice.

Thanks in advance!

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

This message was posted by a user wishing to remain anonymous

How do folks address:


I have usually addressed this with a CVSS based on risk assessment. I'm now rethinking that having just read about the new CVSS Rubric qualified by FDA, and reading that it is only for post-market threats, not for pre-market. So for that reason, thought I'd ask.
Original Message:
Sent: 30-Oct-2020 08:43
From: Ed Panek
Subject: SaMD 510(k)

In addition to what is mentioned, FDA asked on our submission for

• Clear explanations with screenshots of application UI
• Cybersecurity Labels - Needs and actions for end-users to prevent compromised software in IFU
• Actions taken prior to release to protect against cyber attacks
• Future updates/patches available to prevent cyber attacks to units in field

------------------------------
Edward Panek
VP, QA/RA
Med Device
Research into Neural Nets - https://www.twitch.tv/edosani

Original Message:
Sent: 29-Oct-2020 16:53
From: Breanne Cuddington
Subject: SaMD 510(k)

Hello,

I'm looking to connect with someone who has recently submitted a 510(k) for a class II SaMD. Specifically, I would like to know what security testing was submitted or requested. I am familiar with the list provided in the FDA Cybersecurity Guidance and other guidance documents from working groups, but would greatly benefit from practical advice. There seems to be a general consensus on the testing required (pen testing, static code review, dynamic code review, vulnerability analysis), but I would like to know if this holds up in practice.

Thanks in advance!

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

Hi,

We have adopted a Threat and Risk Assessment approach per UL 2900-1 to assess security threats pre-market. Threat scenarios are assessed for each asset in scope to identify design controls, policy based risk mitigations and risks requiring ongoing remediation activities. We do not incorporate CVSS into this assessment, but rather deal with risks according to company risk tolerance definitions. 

Hope that helps. 

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

Original Message:
Sent: 04-Nov-2020 14:46
From: Anonymous Member
Subject: SaMD 510(k)

This message was posted by a user wishing to remain anonymous

How do folks address:

1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:

- A specific list of all cybersecurity risks that were considered in the design of your device;

- A specific list and justification for all cybersecurity controls that were established for your device.

I have usually addressed this with a CVSS based on risk assessment. I'm now rethinking that having just read about the new CVSS Rubric qualified by FDA, and reading that it is only for post-market threats, not for pre-market. So for that reason, thought I'd ask.
Original Message:
Sent: 30-Oct-2020 08:43
From: Ed Panek
Subject: SaMD 510(k)

In addition to what is mentioned, FDA asked on our submission for

• Clear explanations with screenshots of application UI
• Cybersecurity Labels - Needs and actions for end-users to prevent compromised software in IFU
• Actions taken prior to release to protect against cyber attacks
• Future updates/patches available to prevent cyber attacks to units in field

------------------------------
Edward Panek
VP, QA/RA
Med Device
Research into Neural Nets - https://www.twitch.tv/edosani

Original Message:
Sent: 29-Oct-2020 16:53
From: Breanne Cuddington
Subject: SaMD 510(k)

Hello,

I'm looking to connect with someone who has recently submitted a 510(k) for a class II SaMD. Specifically, I would like to know what security testing was submitted or requested. I am familiar with the list provided in the FDA Cybersecurity Guidance and other guidance documents from working groups, but would greatly benefit from practical advice. There seems to be a general consensus on the testing required (pen testing, static code review, dynamic code review, vulnerability analysis), but I would like to know if this holds up in practice.

Thanks in advance!

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------