In this FDA cybersecurity training webinar, you will learn how vulnerability testing and pentesting are done for your FDA 510k submission.
FDA Cybersecurity Testing
Today, the FDA released the new Final Cybersecurity Guidance. On Wednesday, September 27, 2023, @ 2 pm EDT, we are hosting a live webinar with a cybersecurity testing firm: Red Sentry. Red Sentry provides automated vulnerability scanning services and manual pentest services for small companies. Usually, these services are extremely expensive and take months. Alex Thomas and Valentina Flores founded the company to provide cybersecurity testing services that are affordable for small companies and fast. Valentina is the CEO of the company, and she will be answering our live Q&A as well as presenting a short presentation on cybersecurity testing. Valentina is even providing examples of FDA cybersecurity testing for medical devices. If you would like to attend the live webinar, fill out the form below.
When is the FDA cybersecurity training webinar scheduled?
The webinar was hosted live on Wednesday, September 27, 2023, @ 2 pm EDT, but the YouTube recording is embedded below:
FDA Cybersecurity Requirements
If any of the following attributes are applicable to your medical device, then FDA cybersecurity requirements apply to your device and you will need to include cybersecurity data in your 510k submission:
- Cloud communication
- Network connection (active or not)
- Wireless communication in any form
- USB/serial ports/removable media
- Software upgrades (this includes patches)
Medical Device Academy primarily works with medical device start-up companies that are developing their first product and need help obtaining 510k clearance for their device. The hottest trend in medical devices is adding wireless functionality to existing electromedical devices and developing software applications for sharing patient data with physicians (e.g. MDDS systems that are software as a medical device or SaMD). Some of our clients are not familiar with the standard for medical device software lifecycle management [i.e. IEC 62304 ed 1.1 (2015)], and almost 100% of our clients need help with documentation of cybersecurity risks and developing a plan for postmarket management of cybersecurity for their devices.
Do you need procedures for Software Validation & Cybersecurity?
- SYS-044, Software Validation Procedure
- WI-007, 510(k) Software Documentation & Cybersecurity Work Instruction
Learning the basics of FDA cybersecurity
Two years ago we recorded a webinar on FDA cybersecurity requirements. If you register for tomorrow’s free webinar, you will also get the slide deck from the webinar presented by Bhoomika Joyappa and Matthew Walker two years ago. The webinar will cover four main topics and then we will address other topics during the Q&A portion at the end. The four main topics are:
- Cybersecurity Risk Management
- FDA Approach to Cybersecurity Risk Management (i.e. Threat Model)
- AAMI TIR57 Approach to Cybersecurity Risk Management (i.e. NIST)
- Cybersecurity Labeling
Cybersecurity Labeling Requirements
In the middle of the original webinar from 2021, Matthew Walker explained the cybersecurity labeling requirements. The cybersecurity labeling requirements have been enforced for the past two years, but the new Final guidance for cybersecurity expands the labeling requirements to include a Software Bill of Materials (SBOM). The FDA defines an SBOM as “A list of software components that includes but is not limited to commercial, open source, off-the-shelf, and custom software components.”
How to document FDA Cybersecurity requirements in the FDA eSTAR
On February 9, 2023, we recorded a 51-minute webinar demonstrating how to complete the cybersecurity section of the FDA eSTAR for documentation of how your device meets the FDA cybersecurity requirements. You can watch this video by purchasing our 510k Course. The webinar was presented by Bhoomika Joyappa and Rob Packard. There are 19 slides in the slide deck. The webinar reviews the history of FDA guidance documents and discusses what’s new in the latest draft guidance. In the presentation, we also explained the overall process for cybersecurity risk management. This process flow is illustrated by the diagram provided below.
Q&A about cybersecurity
During the live FDA cybersecurity training webinar, we will answer your questions. We will be converting this into an FAQ document and sending that as a follow-up to the original content. If you have company-specific questions, please use our Calendly app to schedule a call. If you are registering for this webinar after September 27, 2023, you can still submit questions by email. You can also use our QA/RA Suggestion Box.
Important note about the delivery of this training webinar
The FDA cybersecurity training webinar will be delivered to you via email. You need to confirm an email subscription before an invitation will be sent. Despite our efforts to AWeber to our SPF Record, the emails from AWeber may be in your spam folder.
Additional FDA cybersecurity resources
For devices that are powered and/or have software, you will need to perform software validation in accordance with IEC 62304 ed 1.1 (2015). IEC 62304 makes no mention of “cybersecurity”, but there is another standard that is specific to the cybersecurity of medical devices and it is recognized by the FDA. The FDA has also published two guidance documents that are specific to cybersecurity and a new discussion paper:
- AAMI TIR57:2016 – Principles for medical device security – Risk management
- Guidance for Industry and Food and Drug Administration Staff Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (October 2014)
- Guidance for Industry, FDA Reviewers and Compliance on Postmarket Management of Cybersecurity in Medical Devices (December 2016)
- Discussion Paper: Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities (June 2021)
About the Instructor
Bhoomika Joyappa joined Medical Device Academy as an Associate Regulatory Consultant in April 2021. She has a Master’s Degree in Biomedical/Medical Engineering from The City University of New York. Prior to joining Medical Device Academy she worked as a regulatory affairs intern and completed a training program in regulatory affairs at Duke University School of Medicine. She also has previous experience as a SAS programmer and technical writer for Huawei. She is passionate about regulatory affairs, and she is making an immediate positive contribution to our clients by already completing her first few 510k submissions and developing cybersecurity checklists for our clients to help with cybersecurity documentation required by the FDA. She can be reached via email.