Cybersecurity Work Instruction (WI-007)

Learn how to document your cybersecurity risk controls for an FDA 510k submission when you purchase our cybersecurity work instructions.

Cybersecurity Work Instruction (WI-007) & Webinar Bundle

WI-007 - Cybersecurity Work Instruction & Webinar Bundle

This work instruction and webinar bundle provides detailed instructions and templates for compliance with the 2023 Guidance from the FDA on cybersecurity of device pre-market submissions. You will receive detailed instructions explaining how to complete the templates provided with the cybersecurity work instruction, what order the templates should be used, and the “shift left” approach needed to comply with the new 2023 FDA cybersecurity guidance. There are a number of other software documentation templates referenced in this work instruction. Those templates can be found as part of SYS-044 which is sold separately.

Price: $399.00

This work instruction provides detailed instructions explaining how to complete the templates provided with the cybersecurity work instruction, what order the templates should be used, and the “shift left” approach needed to comply with the new 2023 FDA cybersecurity guidance.

When is the webinar about this cybersecurity work instruction?

This webinar will be hosted live on Thursday, October 24, 2024. If you purchase the work instruction prior to October 24, you will receive login information for the live presentation. You can purchase it on-demand and watch the training as often as you wish.

What does the FDA require for 510k cybersecurity documentation? 

Medical device companies all over the world rely upon IEC 62304 as a standard for the management of the software development lifecycle and for creating software verification and validation documentation. However, when medical device companies submit their first 510k, they are surprised to receive a deficiency requesting additional verification and validation documentation regarding cybersecurity that was not required by IEC 62304. The wording of this deficiency may be as follows:

Your device has interfaces that introduce cybersecurity risks. However, you have not provided adequate documentation to demonstrate that they were taken into account and addressed.

• Please provide a system-level architecture that includes all the components (assets) of the system (including third-party devices), the connections between them, and the communication protocols. Assets may include: Physical Network Components (servers, end-users, peripherals, implants…), Software Systems and Applications (OS, medical applications, firmware…), Communication Paths and Interfaces (physical and logical interfaces), and Data Assets (PHI, secrets, control data, …), etc.
• Please clearly identify the functionality of the network in your device.
• Please provide an asset evaluation that includes a detailed description that is based on your response to the deficiency above.
• Please include a threat model of your system, a detailed cybersecurity plan, including the maintenance plan with respect to routine updates and patches and controls in place to ensure the continued integrity of your device in the field, and a response plan.
• Please also indicate how often you planning to reassess cybersecurity and what sources you are using as part of your assessment.
• Please provide a cybersecurity hazard analysis that includes identified risks, causes, and mitigation measures.
• Please provide a dedicated cybersecurity plan as identified above.

What does the FDA require for 510k cybersecurity documentation? 

Any medical device that includes one or more of the following attributes must include cybersecurity documentation above and beyond the requirements in IEC 62304:

• Cloud communication
• Network connection (active or not)
• Wireless communication in any form
• USB/serial ports/removable media
• Software upgrades (this includes patches)

The FDA provides two guidance documents for cybersecurity documentation, and the following documentation must be submitted with your 510k premarket notification:

• Threat modeling
• Cybersecurity vulnerabilities/risks
• Cybersecurity controls
• Cybersecurity Traceability matrix
• Post-market cybersecurity plan
• Plan for malware shipping
• Cybersecurity labeling

What will you receive when you purchase this cybersecurity work instruction?

Anyone who purchases the 510k software documentation and cybersecurity work instruction (WI-007) will receive the work instruction in native Word format and any future updates to the work instruction at no additional cost. The work instruction is now updated to the new 2023 FDA cybersecurity guidance:

1. TMP-058 Cybersecurity Risk Management Report
2. TMP-064 Threat Modelling Template
3. TMP-043 Cybersecurity Risk Assessment
4. TMP-051 Software Bill of Materials (SBOM)
5. TMP-059 Software Level of Support and End of Support
6. TMP-063 Safety and Security Assessment of Vulnerabilities
7. TMP-048 Unresolved Anomalies
8. TMP-061 Data from Monitoring Cybersecurity Metrics
9. TMP-060 Cybersecurity Controls
10. TMP-052 Security Architecture
11. TMP-056 Vulnerability Management Plan
12. TMP-050 Cybersecurity Risk Management Plan
13. TMP-047 Cybersecurity Labeling

Additional supporting reference documents that should be used in conjunction with this work instruction and templates include:

• NIST 800-30 – This special publication is referenced in the 2023 FDA cybersecurity guidance. It is available as a free download published in September 2012. The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.
• AAMI TIR57:2016/(R)2023 (PDF) – This technical information report is only available from AAMI.org. An AAMI membership is recommended to take advantage of the member discounted price. This Technical Information Report (TIR) provides guidance on methods to perform information security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971. The TIR incorporates the expanded view of risk management from IEC 80002-1 by incorporating the same key properties of Safety, Effectiveness and Data & Systems Security with Annexes that provide process details and illustrative examples.

This 510k Software Documentation & Cybersecurity Work Instruction (WI-007) and the associated templates are available for $399. Other software documentation templates referenced in this work instruction are sold with the purchase of the Software Development and Validation Procedure (SYS-044). If you would like to ask confidential questions, please use our calendar app to schedule a call with Rob Packard or you can email the author of the work instruction directly. The work instructions and the two templates are provided in native MS Word Formats for your convenience.

Important Note

This work instruction and template will be delivered to the email address provided in the shopping cart transaction. After the transaction is verified, please check your email for the download. The email may be in your spam folder.

Additional Security Incident Response Planning Work Instruction

Bhoomika also wrote work instructions explaining how to respond to security incidents. This second work instruction is now available for sale. The new work instruction is called Security Incident Response Planning (WI-008). Rob Packard has recorded a webinar explaining how to use our CAPA Report (i.e., FRM-009) to document an incidence response plan.

In addition to this work instruction, you may also be interested in the following blog articles and webinars related to cybersecurity and or software verification and validation:

• Cybersecurity Webinar – Learn what the FDA wants in your 510k
• Cybersecurity FDA Guidance for Devices with Software and Firmware
• Software Service Provider Qualification and Management
• Software as a medical device (SaMD)
• Software Validation Procedure (SYS-044)
• 510k Software Documentation Webinar