In this FDA cybersecurity training webinar, you will learn how vulnerability testing and pentesting are done for your FDA 510k submission.
FDA Cybersecurity Testing
Today, the FDA released the new Final Cybersecurity Guidance. On Wednesday, September 27, 2023, @ 2 pm EDT, we hosted a live webinar with a cybersecurity testing firm, Red Sentry. Red Sentry provides automated vulnerability scanning services and manual pentest services for small companies. Usually, these services are extremely expensive and take months. Alex Thomas and Valentina Flores founded the company to provide cybersecurity testing services that are affordable for small companies and fast. Valentina is the CEO of the company, and she answered our live Q&A and gave a short presentation on cybersecurity testing. Valentina even provides examples of FDA cybersecurity testing for medical devices. If you want to watch the webinar, fill out the form below.
When is the FDA cybersecurity training webinar scheduled?
The webinar was hosted live on Wednesday, September 27, 2023, @ 2 pm EDT, but the YouTube recording is embedded below:
FDA Cybersecurity Requirements
If any of the following attributes apply to your medical device, then FDA cybersecurity requirements apply to your device and you will need to include cybersecurity data in your 510k submission:
- Cloud communication
- Network connection (active or not)
- Wireless communication in any form
- USB/serial ports/removable media
- Software upgrades (this includes patches)
Medical Device Academy primarily works with medical device start-up companies that are developing their first product and need help obtaining 510k clearance for their device. The hottest trend in medical devices is adding wireless functionality to existing electromedical devices and developing software applications for sharing patient data with physicians (e.g. MDDS systems that are software as a medical device or SaMD). Some of our clients are not familiar with the standard for medical device software lifecycle management (i.e. IEC 62304), and almost 100% of our clients need help with documentation of cybersecurity risks and developing a plan for post-market management of cybersecurity for their devices.
Do you need procedures for Software Validation & Cybersecurity?
- SYS-044, Software Validation Procedure
- WI-007, 510(k) Software Documentation & Cybersecurity Work Instruction
Learning the basics of FDA cybersecurity
Two years ago we recorded a webinar on FDA cybersecurity requirements. If you register for tomorrow’s free webinar, you will also get the slide deck from the webinar presented by Bhoomika Joyappa and Matthew Walker two years ago. The webinar will cover four main topics and then we will address other topics during the Q&A portion at the end. The four main topics are:
- Cybersecurity Risk Management
- FDA Approach to Cybersecurity Risk Management (i.e. Threat Model)
- AAMI TIR57 Approach to Cybersecurity Risk Management (i.e. NIST)
- Cybersecurity Labeling
Cybersecurity Labeling Requirements
In the middle of the original webinar from 2021, Matthew Walker explained the cybersecurity labeling requirements. The cybersecurity labeling requirements have been enforced for the past two years, but the new Final guidance for cybersecurity expands the labeling requirements to include a Software Bill of Materials (SBOM). The FDA defines an SBOM as “A list of software components that includes but is not limited to commercial, open source, off-the-shelf, and custom software components.”
How to document FDA Cybersecurity requirements in the FDA eSTAR
On May 22, 2024, we recorded a webinar demonstrating how to complete the cybersecurity section of the FDA eSTAR for documentation of how your device meets the FDA cybersecurity requirements. You can watch this video by purchasing our 510k Course. The webinar was presented by Rob Packard. The webinar reviews the history of FDA guidance documents and discusses what’s new in the latest draft guidance. In the presentation, we also explained the overall process for cybersecurity risk management. This process flow is illustrated by the diagram provided below.
Q&A about cybersecurity
During the live FDA cybersecurity training webinar, we will answer your questions. We will be converting this into an FAQ document and sending that as a follow-up to the original content. If you have company-specific questions, please use our Calendly app to schedule a call. If you are purchasing this webinar now, you can still submit questions by email. You can also use our Suggestion Portal.
Important note about the delivery of this training webinar
The FDA cybersecurity training webinar will be delivered to you via email. You need to confirm an email subscription before an invitation will be sent. Despite our efforts to AWeber to our SPF Record, the emails from AWeber may be in your spam folder.
Additional FDA cybersecurity resources
For devices that are powered and/or have software, you will need to perform software validation in accordance with IEC 62304 ed 1.1 (2015). IEC 62304 makes no mention of “cybersecurity”, but there is another standard that is specific to the cybersecurity of medical devices and it is recognized by the FDA. The FDA has also published two guidance documents that are specific to cybersecurity and a new discussion paper:
- AAMI TIR57:2016 – Principles for medical device security – Risk management
- FDA Guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (September 27 2023)
- Guidance for Industry, FDA Reviewers and Compliance on Postmarket Management of Cybersecurity in Medical Devices (December 2016)
- Discussion Paper: Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities (June 2021)
About the Instructor
Bhoomika Joyappa joined Medical Device Academy in April 2021. She is now a Sr. Regulatory Consultant at our company. She has a Master’s Degree in Biomedical/Medical Engineering from The City University of New York. Prior to joining Medical Device Academy she worked as a regulatory affairs intern and completed a training program in regulatory affairs at Duke University School of Medicine. She also has previous experience as a SAS programmer and technical writer for Huawei. She is passionate about regulatory affairs, and she is making an immediate positive contribution to our clients by already completing her first few 510k submissions and developing cybersecurity checklists for our clients to help with cybersecurity documentation required by the FDA. She can be reached via email.