Regulatory Open Forum

 View Only

  • 1.  Cybersecurity standards and guidance for SaMD

    Posted 08-Nov-2022 11:04
    I'd love to hear about experiences with implementing standards and guidance for product cybersecurity, specifically for software as a medical device, please!

    My company's processes around this are in need of better organisation and maturity, but there seem to be many, many potentially applicable standards and guidances. Our devices (one of which is FDA and MDR cleared) are part premise-hosted, part cloud-based, although at present, no personal identifiable data sent between them.

    Any advice the RAPS hive mind has on selecting the most relevant/useful standards and guidances for our devices would be gratefully received!

    ------------------------------
    David Arrowsmith
    Oxford
    United Kingdom
    ------------------------------


  • 2.  RE: Cybersecurity standards and guidance for SaMD

    Posted 09-Nov-2022 01:36
    Hi!
    Good starting points in US are the FDA guidance documents:

    Content of Premarket Submissions for Management of Cybersecurity in Medical Devices

    https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions

    Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software

    https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-networked-medical-devices-containing-shelf-ots-software

    Postmarket Management of Cybersecurity in Medical Devices

    https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices

    For EU, I suggest MDCG 2019-16 rev. 1
    https://ec.europa.eu/health/sites/default/files/md_sector/docs/md_cybersecurity_en.pdf

    The lower level of guidances has a high variety. NIST framework in US is one of the sources, but very complex and difficult to be integrated into the usual quality concepts of medical devices. But for me the very best entry point for medical device manufacturers is IEC 81001-5-1, as it is proposed to be harmonized within the next two years in Europe. The good points: it covers many requirements of the FDA guidances, it is derived from a very mature international standard (IEC 62443-4-1) and it describes the entire product life cycle very close to the IEC 62304. In my opinion, this standard is the one and only to be considered. It has many references to other standards, so you will get into the topic from there very quickly.

    You might also get help by a checklist that was created some years before by different stakeholders:
    https://github.com/johner-institut/it-security-guideline/blob/master/Guideline-IT-Security_EN.md

    Best regards
    Christian

    ------------------------------
    Christian Rosenzweig
    Consultant
    Marburg
    Germany
    ------------------------------

    Original Message


  • 3.  RE: Cybersecurity standards and guidance for SaMD

    Posted 09-Nov-2022 03:28
    David,

    There are a number of standards out there, and more coming out like ISO 27100 a few others like the UL 2900 series or others in the 27000 series like ISO 27032.  Also quite a few guidance and more white papers out there about cybersecurity - these seem to be increasing exponentially as the years go on.  The FDA also has a couple nice guidance documents which I use quite often helping companies understand needs and requirements for cybersecurity.  Some advice though is look outside of the medical device industry typical sources because there is many other sources of cybersecurity in the information technology field.  There are a couple associations out there which have great resources as well - often I am referring people to different sources "outside" the industry as there is good information out there. like SANS or ISSA  I would not provide a list here because it can be quite extensive, but really I refer people to the FDA guidance which is quite helpful.

    ------------------------------
    Richard Vincins ASQ-CQA, MTOPRA, RAC
    Vice President Global Regulatory Affairs
    ------------------------------

    Original Message


  • 4.  RE: Cybersecurity standards and guidance for SaMD

    This message was posted by a user wishing to remain anonymous
    Posted 09-Nov-2022 08:23
    This message was posted by a user wishing to remain anonymous

    I just returned from the MD&M conference in Minneapolis last week where Chris Gates and Michelle Jump presented (separately) on the topic. Chris was saying that the new IEC 81001-5-1 may help unify it, even across MDR and FDA. I just got a copy of his book (with Axel Wirth) on Medical Device Cybersecurity, and it starts off with organization maturity, the topic you mentioned. Michelle's presentation then went into the FDA newest guidance.
    Original Message


  • 5.  RE: Cybersecurity standards and guidance for SaMD

    Posted 09-Nov-2022 10:18
    Great responses and recommendations! There is something I wasn't aware of in every response so far, so thank you.

    It's good to see some alignment on IEC 81001-5-1, so that has moved up my priority list. Also good to see FDA guidance in your responses, having already used it, so we are at least in the right area. 

    Thanks again & best regards,
    Dave

    ------------------------------
    David Arrowsmith
    Oxford
    United Kingdom
    ------------------------------

    Original Message


  • 6.  RE: Cybersecurity standards and guidance for SaMD

    Posted 11-Nov-2022 03:11
    Hi David,
    maybe this US documents will help you:
    • Deciding When to Submit a 510(k) for a Software Change to an Existing Device
    • Design Considerations and Pre-market Submission
    • Recommendations for Interoperable Medical Devices
    • Software as a Medical Device (SAMD): Clinical Evaluation
    And also these IMDRF guidances:
    • Software as a Medical Device (SaMD): Application of Quality Management System
    • Software as a Medical Device: Possible Framework for Risk Categorization and Corresponding Considerations

    Best regards

    ------------------------------
    Valentina Faziani
    Regulatory Affairs Specialist
    Thema s.r.l.
    Italy
    ------------------------------

    Original Message


  • 7.  RE: Cybersecurity standards and guidance for SaMD

    Posted 12-Nov-2022 10:48

    Hi David –

     

    We have established a policy and process regarding SaMD/SiMD and cybersecurity.  It has become such a hot topic, it's no longer an afterthought.

     

    First and foremost, IEC 62304:2015 must be followed, as it is the harmonized standard. 

    FDA 21 CFR 820.30 must also be followed (following 62304 will give you just about everything needed for FDA, but 62304 does not cover validation).  For SaMD, you can also follow IEC 82304:2020 

    IEC 62304 refers to ISO 14971:2019 (2019 is the EU requirement).  ISO 14971 also refers to IEC/TR 80002-1:2009, Guidance on the application of ISO 14971 to medical device software.

     

    All of these are important to release SaMD/SiMD, in addition the cybersecurity documents we claim follow are:

     

    ·         FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance, October 2014

    ·         Principles and Practices for Medical Device Cybersecurity, International Medical Device Regulators Forum, March 2020

    ·         Principles for Medical Device Security – Risk Management, Association for the Advancement of Medical Instrumentation (AAMI) Technical Information Report (TIR) 57

    ·         Microsoft Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Escalation of Privilege (STRIDE) Threat Modeling Framework

    ·         But for EU MDR, this is a must - MDCG 2019-16 Guidance on Cybersecurity of Medical Devices.  Our EU MDR audit concentrated heavily on this for pre and post market activities.

    Also, if you look at the A-list for 2023, you'll see another draft guidance on cybersecurity, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

       https://www.fda.gov/medical-devices/guidance-documents-medical-devices-and-radiation-emitting-products/cdrh-proposed-guidances-fiscal-year-2023-fy2023?utm_medium=email&utm_source=govdelivery#a

     

    Hope this helps – please feel free to contact me if you need.

     

    Thanks –

     

    Rhonda

     

    Rhonda Johnston | She/Her | Senior Manager Design Quality Assurance
    rhonda.johnston@smith-nephew.com
    Office:     +1.412.552.6533
    Mobile: +1.412.863.0287
    www.smith-nephew.com

     




    Original Message


Related Content