In a risk analysis, how can we tie mobile app security breach to ISO 14971?

S

snoopy2017

Hi everyone,

In a risk analysis, how can we tie security breach (e.g. losing confidentiality of patient information) to ISO 14971? What is the severity level of harm for loss of confidentiality of information in a mobile app? I would think we should do that exploitability analysis first as per FDA's 2016 guidance on cybersecurity. Has anyone had first hand experience doing this analysis tied to 14971? If so, could you provide some guidance or a sample template of this type of a security risk analysis? Thank you. I would appreciate any reply.
 

QAengineer13

Quite Involved in Discussions
I would highly recommend you purchasing and reading AAMI TIR 57 Principles for medical device security which addresses security risk management in the context of ISO 14971, it creates a clear linkages between consideration of safety and security, this TIR is recognized by the FDA and referenced in their post market guidance .

Example: Images from the TIR 57

1540853190526.png

1540853158328.png


Anothe recommendation is EN 82304-1 Health Software General requirmetns for product safety to look into which applies to the SAFETY and SECURITY of Health Software Products designed to operate on general computing platforms and intended to be placed on the market without dedicated hardware.

-Rk
 

Mark Meer

Trusted Information Resource
Haven't had to go through the process myself (yet), but at the highest level of assessing potential harm, perhaps start by assessing:

- Can a breach be used to interfere with the device function?
- Can a breach be used to corrupt/overwrite existing data? If so, what would be the worst-case result?
- Can data potentially stolen/read in event of breach be used to personally identify a patient?
- Can this data be used to infer patient diagnoses and treatments?

Perhaps a bit simplistic depending on your application, but a starting point for what it's worth...
MM.
 
T

tomshoup

The short answer to snoopy2017's question is to use the steps of 14971 to assess the cyber risk: RISK ANALYSIS: identify the hazard (loss of confidentiality), identify the sequence of events that can lead to such a breach, identify the resuting hazardous situation (loss of confidentiality = HIPPA violation, public exposure, etc.), identify the severity and probability. Then RISK EVALUATION: is this risk acceptable. If the risk is acceptable, stop. If the risk is not acceptable, identify and implement control measures to reduce the risk and verify their implementation and effectiveness.

FDA's guidance on cybersecurity as it relates to submissions parallels 14971:
1550878828166.png

Also, the Open Web Application Security Project has a good discussion on threat modeling that will help with this.
www.owasp.org/index.php/Application_Threat_Modeling.

Regards,
Tom 1550878828166.png
 
Top Bottom