Regulatory Open Forum

Hello,

We have a class II SaMD product that is marketed in the US. We often encounter issues when selling to US hospitals pertaining to lengthy cybersecurity and privacy questionnaires. The questionnaires are long and often different site to site. Does anyone have advice for which certifications or documentation may be helpful to ease this process? Are there particular certifications (SOCS, ISO 27001, HITRUST etc.) that are more trusted by hospitals and other health care institutions (ACSs for example)?

We acknowledge that it might not be a one size fits all, but if there's something that we can do to portray reliability or bypass the questionnaires and other lengthy discussions, we would greatly appreciate the input.

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

I recently read the following article from FDA News which may help

Space Infusion Pump Wireless Devices Earn Cybersecurity Certification
December 6, 2022

B. Braun Medical's Space Infusion Pump System wireless devices have earned Underwriter Laboratory (UL) 2900-2-1 Cybersecurity Assurance Program (CAP) certification, a standard supported by the FDA.

The UL CAP certification followed testing for known vulnerabilities and malware by establishing the strength of encryption used, analyzing the source code in each device and application, and conducting penetration and "fuzz testing" - introducing invalid, malformed, or unexpected inputs - to identify vulnerabilities, the company said.

The UL 2900-2-1 standard provides a way for manufacturers and developers to assess the cybersecurity risk of network connectable devices. The test methods and risk assessment requirements in the standard apply to all medical devices and accessories, medical device data systems, in-vitro diagnostic devices and health information technology.

------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
------------------------------

Original Message:
Sent: 20-Dec-2022 09:32
From: Breanne Cuddington
Subject: SaMD Qualification in US Hospitals

Hello,

We have a class II SaMD product that is marketed in the US. We often encounter issues when selling to US hospitals pertaining to lengthy cybersecurity and privacy questionnaires. The questionnaires are long and often different site to site. Does anyone have advice for which certifications or documentation may be helpful to ease this process? Are there particular certifications (SOCS, ISO 27001, HITRUST etc.) that are more trusted by hospitals and other health care institutions (ACSs for example)?

We acknowledge that it might not be a one size fits all, but if there's something that we can do to portray reliability or bypass the questionnaires and other lengthy discussions, we would greatly appreciate the input.

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

Hi,

We're in a similar place. There are a lot of standards and guidance documents!

The FDA also recognises IEC 81001-5-1, which is about product cybersecurity, focusing on designing in cybersecurity (it intentionally aligns with IEC 62304 and covers much of the same ground as FDA cybersecurity guidance), while other standards, notably ISO 27001 are more about infrastructure. However, I don't have any experience of how these can be used to reduce the questionnaire burden! Maybe others can comment.

We have also completed an MDS2 form, which seems to be for this exact purpose, although we haven't had anyone request it yet. 

Good luck!

------------------------------
David Arrowsmith
Oxford
United Kingdom
------------------------------

Original Message:
Sent: 20-Dec-2022 09:32
From: Breanne Cuddington
Subject: SaMD Qualification in US Hospitals

Hello,

We have a class II SaMD product that is marketed in the US. We often encounter issues when selling to US hospitals pertaining to lengthy cybersecurity and privacy questionnaires. The questionnaires are long and often different site to site. Does anyone have advice for which certifications or documentation may be helpful to ease this process? Are there particular certifications (SOCS, ISO 27001, HITRUST etc.) that are more trusted by hospitals and other health care institutions (ACSs for example)?

We acknowledge that it might not be a one size fits all, but if there's something that we can do to portray reliability or bypass the questionnaires and other lengthy discussions, we would greatly appreciate the input.

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------

Unfortunately I don't think there is one. You can give them a SOC2 Type 2 Report and MDS2 form, or ISO27000 cert and they'll still want their questionnaire filled out (at least all I dealt with). 
Virtually each institution has their own unique version of a questionnaire, even though most have similar questions and are based on ISO27000 (so at least you can reuse most of the answers from previous questionnaires). This is a bit similar to how medical device manufacturers each have their own 'supplier survey' they require their vendors to fill out (another topic).

There have been many Software Informatics related standards recognized by the FDA, but I don't think that make any difference.

------------------------------
Michael Zagorski RAC
Director of Regulatory Affairs
Pittsburgh PA
------------------------------

Original Message:
Sent: 20-Dec-2022 09:32
From: Breanne Cuddington
Subject: SaMD Qualification in US Hospitals

Hello,

We have a class II SaMD product that is marketed in the US. We often encounter issues when selling to US hospitals pertaining to lengthy cybersecurity and privacy questionnaires. The questionnaires are long and often different site to site. Does anyone have advice for which certifications or documentation may be helpful to ease this process? Are there particular certifications (SOCS, ISO 27001, HITRUST etc.) that are more trusted by hospitals and other health care institutions (ACSs for example)?

We acknowledge that it might not be a one size fits all, but if there's something that we can do to portray reliability or bypass the questionnaires and other lengthy discussions, we would greatly appreciate the input.

------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------