Dan makes a good point with the distinction between regulators and users. Note that ISO 14971:2019 states that "the manufacturer shall inform users of significant residual risks and shall include the necessary information in the accompanying documentation in order to disclose those residual risks." Here it is not explicitly necessary for a manufacturer to disclose risk control measures in the accompanying documentation (see clause 3.1 of the standard for a definition); however, where there are risk controls implemented through protective measures or information for safety, care should be given in how to inform the user in order reduce risk effectively.
Conversely, risk control option analysis, verification of implementation and effectiveness, as well as evaluation of the residual risk all are checked for compliance "by inspection of the risk management file." Therefore, it will be necessary to disclose this information within the risk management file for regulators to review. It is up to the manufacturer's discretion to determine the level of detail provided, but it should be sufficient for the reviewer to determine that the risk controls were appropriate and effective.
Admittedly, no system is completely secure nor can all risks be identified and controlled; however, the manufacturer must be compliant to the individual regulations regardless. If the regulator needs more information, it is likely they will ask for it.
------------------------------
Christopher Erwin
Scottsdale AZ
United States
------------------------------
Original Message:
Sent: 14-Feb-2023 01:54
From: Anonymous Member
Subject: Cybersecurity - Could you disclose the risk control measures?
This message was posted by a user wishing to remain anonymous
Dear Dan,
Thank you so much for sharing those details. It was very informative to know about what the actual cybersecurity measures are.
Our concern now is how much we can share the cybersecurity information with the regulator, which we don't know how much we can trust.
Original Message:
Sent: 11-Feb-2023 10:21
From: Dan O'Leary
Subject: Cybersecurity - Could you disclose the risk control measures?
My first question is, "Disclose to whom"? It seems to me there are (at least) two different parties – regulators and users. The answer is different in each case.
Cast in terms of the NIST post, I infer the cybersecurity risk control measures are a digital fence - a perimeter. The question, then is which aspects of the perimeter to disclose and to whom. My presumption is that there are two types of controls which I will call obvious and hidden. Obvious controls are "user name + password" and "two point authentication" to prevent unauthorized access. The hidden controls might be something in another layer of your "defense in depth" strategy. The concern, I infer, is that user knowledge of the hidden controls, such as in an IFU, will provide an opportunity for somebody to figure out how to circumvent the control and gain access to the system.
The NIST post suggests that one cannot prevent unauthorized access – somebody will always figure out how to breach the perimeter and gain access. The zero trust strategy recognizes that the concept of inside and outside the perimeter is not adequate. You need controls inside as well. To quote the post, "Every access request [from inside the perimeter] to a resource must be thoroughly evaluated dynamically and in real time based on access policies in place and current state of credentials, device, application and service, as well as other observable behavior and environmental attributes, before access may be granted."
One common scenario is a weak-link attack on a device on a network to gain network access. An example might be access to a hospital network through a device with weak cybersecurity controls.
My recommendation for your device is to make the obvious controls known to the user, but keep the hidden controls hidden. This won't prevent an attack but will make it more difficult. If the attack is on a network, not your device, then the attack will turn to the weak link. Don't let it be your device.
On your device implement zero trust controls and recommend it for any network to which the user would connect your device.<o:p></o:p>
------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
Original Message:
Sent: 01-Feb-2023 02:16
From: Anonymous Member
Subject: Cybersecurity - Could you disclose the risk control measures?
This message was posted by a user wishing to remain anonymous
Dear All,
For the cybersecurity application documents, our engineer insists that it is very risky to disclose the risk control measures in the cybersecurity risk management files.
They say that revealing it is like openly saying that the key is under the pot at the gate.
Could you share your experience?
What we think of as options are:
- Accept that disclosure it is unavoidable.
- Delete the risk control measures column from risk management table.
(We don't know what would be happened if the regulator noticed it and it seems like a risky idea to me.)
- Black out the risk control measures and see what will happens.
(In this case, we shall disclose the measures if requested from the regulators.)
Any advice would be greatly appreciated.
Thank you in advance for your help.