Author Archive

Cybersecurity FDA Guidance for Devices with Software and Firmware

This article reviews the FDA guidance for premarket and post-market cybersecurity of medical devices with software and firmware—including requirements for reporting of field corrections and removals.

Cybersecurity with custom aspect ratio Cybersecurity FDA Guidance for Devices with Software and Firmware

Hospitals, home health systems, and medical devices are more connected now than ever. The automatic communication between medical devices and network systems is improving the efficiency and accuracy in the world of healthcare. Medical devices are capable of more computing, analysis, reporting and automation to improve the speed and quality of patient care. Along with technological advances, new risks and concerns are also introduced. The risk of hackers exploiting vulnerabilities in networks and software is inevitable. The FDA introduced guidance for both pre-market and post-market cybersecurity to assist manufacturers in developing effective controls to protect patients and users. Cybersecurity protection requires Identification, Protection, Detection, Response, and Recovery.

The first step is incorporating processes and procedures to improve device cybersecurity into your quality management system. You should have a specific cybersecurity plan to outline the steps necessary to ensure a safe and secure medical device.

Identify Cybersecurity Risks

The key to understanding and assessing the cybersecurity risks involved with your device begin in the early stages of design development. At the start of the risk management process, you need to identify the essential safety and performance requirements of the device. You need to identify any potential cybersecurity vulnerabilities that could impact safety or performance, as well as the specific harms that could result if the vulnerability was exploited. In assessing the specific vulnerabilities, the FDA recommends using the Common Vulnerability Scoring System (CVSS). There is a CVSS calculator available online through NIST. The overall score is calculated based on different factors such as: attack vector (local, adjacent network, network), access complexity (high, medium, low), authentication (multiple, single, none), impact of confidentiality (none, partial, complete), exploitability (unproven that exploit exists, proof of concept code, functional exploit exists), remediation level (official fix, temporary fix, workaround, unavailable), collateral damage potential (low, medium, high), etc. This score is used in the hazard analysis in determining the level of risk.

Cybersecurity Protection

The process of assessing the exploitability and harms can also assist in determining mitigations that can be implemented to reduce the cybersecurity risk. During the design process, the FDA expects you to implement as many protections as practicable. Protections include:

  • Limit Access to Trusted Users
    • Password protection, strengthened password requirements
    • User authentication
    • Layered privileges based on user role
  • Limit Access to Tampering
    • Physical locks on devices and/or communication ports
    • Automatic timed methods to terminate sessions
  • Ensure Trusted Content
    • Restrict software or firmware updates to authenticated code
    • Systematic procedures for authorized users to download software and firmware only from the manufacturer
    • Ensure capability of secure data transfer, use of encryption

Cybersecurity Detection

The FDA also requires you to implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use. You should develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event. Methods for retention and recovery should be provided to allow recovery of device configuration by an authenticated privileged user.

If you include off-the-shelf (OTS) software in your device, you are responsible for the performance of the software as part of the device. All software changes to address cybersecurity vulnerabilities of the OTS software need to be validated. You need to maintain formal business relationship with the OTS vendor to ensure timely notification of any information concerning quality problems or corrective actions. Sometimes you will need to involve the OTS vendor to correct cybersecurity vulnerabilities.

Post-Market Surveillance

Once you complete the hazard analysis, mitigation implementation, validations, and has deployed their device for use – your activities shift to post-market management. There are several QMS tools that can assist in the cybersecurity processes post-market including: complaint handling, quality audits, corrective and preventive action, ongoing risk analysis, and servicing. A critical component of every cybersecurity program is monitoring of cybersecurity information sources to assist in the identification and detection of risk. You should maintain contact with third-party software suppliers for identification of new vulnerabilities, updates and patches that come available.

There are many sources that companies should follow for information relating to cybersecurity including: independent security researchers, in-house testing, software or hardware suppliers, healthcare facilities, and Information Sharing and Analysis Organizations (ISAO). Involvement in ISAOs is strongly recommended by the FDA and reduces your reporting burden if an upgrade or patch is required postmarket. ISAOs share vulnerabilities and threats that impact medical devices with their members. They share and disseminate cybersecurity information and intelligence pertaining to vulnerabilities and threats spanning many technology sectors, and are seen as an integral part of your post-market cybersecurity surveillance program.

Response and Recovery

If you identify a cybersecurity vulnerability, there are remediation and reporting steps that need to occur. Remediation may involve a software update, bug fixes, patches, “defense-in-depth” strategies to remove malware or covering an access port to reduce the vulnerability. Uncontrolled risks should be remediated as soon as possible, and must be reported to the FDA according to 21 CFR 806. There are certain circumstances that remove the reporting requirement. The decision flowchart below can be used to determine the reporting requirements.

Cybersecurity software change decision tree Cybersecurity FDA Guidance for Devices with Software and Firmware

In addition to reporting corrections and removals, the FDA identifies specific content to be included in PMA periodic reports regarding vulnerabilities and risks. If you have a Class III device, you should review that section thoroughly to ensure annual report compliance.

If a device contains software or firmware, cybersecurity will be an important component of the risk management processes, and continual cybersecurity management will be necessary to ensure the on-going safety and effectiveness of your device. If you need of more help with cybersecurity risk management of your medical device, please schedule a free 15-minute call with Medical Device Academy by clicking on the link below.

Click here to schedule a 15 minute call 300x62 Cybersecurity FDA Guidance for Devices with Software and Firmware

Posted in: Software Verification and Validation

Leave a Comment (0) →

Reprocessed Single-Use Devices: Considerations for a 510k Submission

This is blog entry summarizing an article published on the FDAeCopy website about the unique challenges of 510k submissions for reprocessed devices.

FDA eCopy Blog Abstract Reprocessed Single Use Devices: Considerations for a 510k Submission

Mary Vater joined Medical Device Academy as a new regulatory consultant in March 2017. She published her first new blog on our FDA eCopy website today. The blog explains the unique challenges of reprocessed single-use devices when preparing a 510k submission.

Challenges of 510k Submissions for reprocessed devices

There are three areas in particular that challenge reprocessors when preparing a 510k submission for reprocessed single-use devices:

  1. Section 13, labeling
  2. Section 15, biocompatiblity
  3. Section 18, performance testing

In her article, Mary reviews each of these sections of a 510k submission and identifies both pitfalls and solutions for testing requirements in each of the sections of a 510k.

One of the most important things to know when preparing a 510k submission for a reprocessed device, is whether you need to perform any biocompatibility testing at all. Biocompatibility testing is one of the longest verification and validation tests–as well as the most costly. If you do not modify the device during reprocessing, then you don’t need to perform biocompatibility testing. This article reviews the types of modifications that will require biocompatibility testing.

You also need to develop your own instructions for use and labeling for reprocessed devices. You can reference the original equipment manufacturer’s (OEM) IFU, but you there is specific information needed for reprocessed devices that should be included. This information includes the name and model number of the OEM device.

Finally, it is not enough to provide performance testing data showing that after reprocessing a device it remains equivalent to the OEM device. You must show that the performance remains equivalent after multiple reprocessing cycles. Most devices will deteriorate over time and may only be able to survive a certain number of reprocessing cycles. This testing data needs to be included in your 510k submission.

If you are interested in learning more about how to prepare a 510(k) for a reprocessed single-use device, please visit the FDA eCopy website.

Posted in: 510(k)

Leave a Comment (0) →

Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons