Hi,
We're in a similar place. There are a lot of standards and guidance documents!
The FDA also recognises IEC 81001-5-1, which is about product cybersecurity, focusing on designing in cybersecurity (it intentionally aligns with IEC 62304 and covers much of the same ground as FDA cybersecurity guidance), while other standards, notably ISO 27001 are more about infrastructure. However, I don't have any experience of how these can be used to reduce the questionnaire burden! Maybe others can comment.
We have also completed an MDS2 form, which seems to be for this exact purpose, although we haven't had anyone request it yet.
Good luck!
------------------------------
David Arrowsmith
Oxford
United Kingdom
------------------------------
Original Message:
Sent: 20-Dec-2022 09:32
From: Breanne Cuddington
Subject: SaMD Qualification in US Hospitals
Hello,
We have a class II SaMD product that is marketed in the US. We often encounter issues when selling to US hospitals pertaining to lengthy cybersecurity and privacy questionnaires. The questionnaires are long and often different site to site. Does anyone have advice for which certifications or documentation may be helpful to ease this process? Are there particular certifications (SOCS, ISO 27001, HITRUST etc.) that are more trusted by hospitals and other health care institutions (ACSs for example)?
We acknowledge that it might not be a one size fits all, but if there's something that we can do to portray reliability or bypass the questionnaires and other lengthy discussions, we would greatly appreciate the input.
------------------------------
Breanne Cuddington
Regulatory Affairs Lead
Kitchener ON
Canada
------------------------------