Regulatory Open Forum

Hi all,

Looking for advice on incorporating security/cybersecurity into the DHF. Specifically, how are controls arising from the Security Treat and Risk Assessment incorporated and/or traced to the conventional Risk Report (patient harm) and Design Requirements? Any advice would be greatly appreciated. 

Thanks!

------------------------------
Breanne Cuddington
Senior Regulatory Affairs Specialist
Kitchener ON
Canada
------------------------------

Hi Breanne

AAMI TIR57: 2016 - Principles for Medical Device Security-Risk Management

https://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=3729
provides the correlation between the safety risks of ISO 14971 and risks associated with security threats impacting the Confidentiality, Integrity, and/or Availability of medical devices.  

AAMI TIR 57 is an FDA Recognized Consensus Standard (Recognition No: 13-83) and spans the entire security chain in addressing cyber vulnerabilities.

------------------------------
Homi Dalal RAC
Regulatory Affairs Leader
Christchurch
New Zealand
------------------------------

Original Message:
Sent: 11-Nov-2019 09:52
From: Breanne Cuddington
Subject: Cybersecurity

Hi all,

Looking for advice on incorporating security/cybersecurity into the DHF. Specifically, how are controls arising from the Security Treat and Risk Assessment incorporated and/or traced to the conventional Risk Report (patient harm) and Design Requirements? Any advice would be greatly appreciated.

Thanks!

------------------------------
Breanne Cuddington
Senior Regulatory Affairs Specialist
Kitchener ON
Canada
------------------------------

Thank you Homi.

I will review the TIR-57 standard. 

------------------------------
Breanne Cuddington
Regulatory Affairs Associate
Kitchener ON
Canada
------------------------------

Original Message:
Sent: 11-Nov-2019 16:58
From: Homi Dalal
Subject: Cybersecurity

Hi Breanne

AAMI TIR57: 2016 - Principles for Medical Device Security-Risk Management

https://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=3729
provides the correlation between the safety risks of ISO 14971 and risks associated with security threats impacting the Confidentiality, Integrity, and/or Availability of medical devices.

AAMI TIR 57 is an FDA Recognized Consensus Standard (Recognition No: 13-83) and spans the entire security chain in addressing cyber vulnerabilities.

------------------------------
Homi Dalal RAC
Regulatory Affairs Leader
Christchurch
New Zealand

Original Message:
Sent: 11-Nov-2019 09:52
From: Breanne Cuddington
Subject: Cybersecurity

Hi all,

Looking for advice on incorporating security/cybersecurity into the DHF. Specifically, how are controls arising from the Security Treat and Risk Assessment incorporated and/or traced to the conventional Risk Report (patient harm) and Design Requirements? Any advice would be greatly appreciated.

Thanks!

------------------------------
Breanne Cuddington
Senior Regulatory Affairs Specialist
Kitchener ON
Canada
------------------------------

Hi Breanne,

This is a great question and TIR57 is good place to start.  Another recommended read is the Medical Device and Health IT Joint Security Plan, published earlier this year by the Healthcare Sector Coordinating Council.  The document was developed by medical device manufacturers with support from healthcare providers and industry organizations.  Many of the large manufacturers are following the practices laid out in this document. https://healthsectorcouncil.org/the-joint-security-plan/

In additon to this, here are a few other items to consider:

• Cybersecurity Risk Analysis - a separate risk analysis should be performed for Cybersecurity, based on Exploitability vs. Impact (not Probability vs. Impact).  A recommended approach is to use the Common Vulnerability Scoring System "Exploitability" score for identified vulnerabilities, and then leverage the Hazards list as Impact (most organizations have a pre-defined hazards list for patient impact).  Here is the CVSS Calculator from NIST - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
• Cybersecurity Risk Heatmap - you'll need a risk heatmap similar to what you have in your existing Quality processes, but for Cybersecurity.  This would help identify what is controlled vs. uncontrolled risk (as defined in FDA Post Market Cybersecurity Guidance from 2016).

I'm happy to jump on a call and talk through these and other options you may have to integrate Cybersecurity and Safety.

------------------------------
Colin Morgan
Managing Director
Apraciti, Medical Device Cybersecurity

colinmorgan@apraciti.com
United States
------------------------------

Original Message:
Sent: 12-Nov-2019 10:23
From: Breanne Cuddington
Subject: Cybersecurity

Thank you Homi.

I will review the TIR-57 standard. 

------------------------------
Breanne Cuddington
Regulatory Affairs Associate
Kitchener ON
Canada

Original Message:
Sent: 11-Nov-2019 16:58
From: Homi Dalal
Subject: Cybersecurity

Hi Breanne

AAMI TIR57: 2016 - Principles for Medical Device Security-Risk Management

https://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=3729
provides the correlation between the safety risks of ISO 14971 and risks associated with security threats impacting the Confidentiality, Integrity, and/or Availability of medical devices.

AAMI TIR 57 is an FDA Recognized Consensus Standard (Recognition No: 13-83) and spans the entire security chain in addressing cyber vulnerabilities.

------------------------------
Homi Dalal RAC
Regulatory Affairs Leader
Christchurch
New Zealand

Original Message:
Sent: 11-Nov-2019 09:52
From: Breanne Cuddington
Subject: Cybersecurity

Hi all,

Looking for advice on incorporating security/cybersecurity into the DHF. Specifically, how are controls arising from the Security Treat and Risk Assessment incorporated and/or traced to the conventional Risk Report (patient harm) and Design Requirements? Any advice would be greatly appreciated.

Thanks!

------------------------------
Breanne Cuddington
Senior Regulatory Affairs Specialist
Kitchener ON
Canada
------------------------------