This message was posted by a user wishing to remain anonymous
How do folks address:
1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:
- A specific list of all cybersecurity risks that were considered in the design of your device;
- A specific list and justification for all cybersecurity controls that were established for your device.
I have usually addressed this with a CVSS based on risk assessment. I'm now rethinking that having just read about the new CVSS Rubric qualified by FDA, and reading that it is only for post-market threats, not for pre-market. So for that reason, thought I'd ask.
Original Message:
Sent: 30-Oct-2020 08:43
From: Ed Panek
Subject: SaMD 510(k)
In addition to what is mentioned, FDA asked on our submission for
- Clear explanations with screenshots of application UI
- Cybersecurity Labels - Needs and actions for end-users to prevent compromised software in IFU
- Actions taken prior to release to protect against cyber attacks
- Future updates/patches available to prevent cyber attacks to units in field
------------------------------
Edward Panek
VP, QA/RA
Med Device
Research into Neural Nets - https://www.twitch.tv/edosani
Original Message:
Sent: 29-Oct-2020 16:53
From: Breanne Cuddington
Subject: SaMD 510(k)
Hello,
I'm looking to connect with someone who has recently submitted a 510(k) for a class II SaMD. Specifically, I would like to know what security testing was submitted or requested. I am familiar with the list provided in the FDA Cybersecurity Guidance and other guidance documents from working groups, but would greatly benefit from practical advice. There seems to be a general consensus on the testing required (pen testing, static code review, dynamic code review, vulnerability analysis), but I would like to know if this holds up in practice.
Thanks in advance!
------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------