SBS - The Best Value in QMS software

Cyber Security and Safety Risks

solok

Registered
#1
Cyber security risks that could lead to a safety risk (in the context of 14971 and TIR57) should be assessed in a safety risk assessment.

My question is, does probability play a part here?

For instance, somebody could gain access to a system and modify results files that could harm a patient. The controls I put in place from cyber security perspective though could reduce the probability to an acceptable level. Do I still need to migrate this risk into the safety risk assessment? Reading TIR57, it would appear that I do.

I am not talking about the risks of the controls here but instead just the hazard.

Appreciate any feedback.
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
We've moved away from the 'traditional' FMEA for cybersecurity and have been using the MITRE Rubric. FDA qualified it as a Medical Device Development Tool (MDDT). To me, the approach makes a lot of sense - it enables you to identify the threats in a quantifiable manner, apply controls, and then re-assess the threat in the same quantifiable manner (score goes down as you "close the doors" on threats). They have already defined acceptable scores.
 

colinkmorgan

Managing Director
#4
The cybersecurity industry has moved away from probability for evaluating cybersecurity risks and rather uses "exploitability", which is outlined in the 2016 FDA Post Market guidance as referenced above. The challenge with probability is that the probability can change overnight for a cybersecurity risk, meaning a weakness in a system is there today but unknown and has no active exploits, making the probability low. Tomorrow, an exploit becomes available on the Internet which may make the probability increase to a high. This is a heavily debated topic, which I’m definitely generalizing

For cybersecurity risks you need to look at them for how easy/hard is it to exploit the weakness and if exploited, how impactful can it be. As TIR57 points out, the risk needs to be evaluated through a cybersecurity lens first and then if there is a potential to impact patient safety, then the safety lens according to 14971.

CVSS is the most common approach and as another poster pointed out, the MITRE CVSS Rubric for Healthcare can help with this (here’s a good tool for that - cvss-rubric.deeparmor.com).

Circling back to the original question, here is an example approach to cybersecurity for a submission:
  • Step 1 – document architecture and data flow diagrams
  • Step 2 – execute threat model on architecture and data flow diagrams. Pick a methodology (e.g. MS STRIDE) and identify potential threats against the system to help identify weakness and controls (FYI, FDA is talking alot about threat modeling lately, so it seems to be an expectation for submissions now)
  • Step 3 – identify and document security controls/requirements (be sure to map the threats from threat model to the requirements)
  • Step 4 – execute security testing (SAST, SCA, Penetration Testing) and V&V testing for security controls
  • Step 5 – identify all known residual risk from threat model, gaps in requirements, security testing and document in a cybersecurity risk assessment using healthcare CVSS
    • An identified threat without a control is a risk
    • A control that does not meet industry standards is a risk (e.g. using deprecated encryption like TLS1.0)
    • A vulnerability identified in testing is a risk
  • Step 6 – define what is considered acceptable and not-acceptable risk and treat accordingly
  • Step 7 – if any risk crosses the defined threshold for potential safety impact, pull forward to FMEA (or like) and evaluate there
  • Step 8 – properly document this end-to-end approach, summarize all known residual risk and include everything as part of 510K/PMA/etc
Hope this helps!

Colin Morgan, CISSP, CISM, GPEN
 
Last edited:

Tidge

Trusted Information Resource
#5
In the context of safety for medical device software, the probability of software failure occurring cannot be considered (per 62304 informative Annex B); so it should go with the evaluation of security-related risks and the assessment of (potential/implemented) controls.

I believe it is crucially important when discussing Medical Devices that an explicit difference between safety and security be observed. They are different concepts, and the degree-of-importance assigned to them derive from different sources.
 
#6
Thank you all for the replies. @colinkmorgan I really appreciate the detail you have put there and it helps. I have a quick question in reference to:
  • Step 6 – define what is considered acceptable and not-acceptable risk and treat accordingly
  • Step 7 – if any risk crosses the defined threshold for potential safety impact, pull forward to FMEA (or like) and evaluate there
So if in step 6 i defined a risk to be acceptable it would not need to be pulled into the safety impact assessment?
 
Thread starter Similar threads Forum Replies Date
M Informational TGA – Medical device cyber security guidance for industry Medical Device and FDA Regulations and Standards News 0
R Training in Cyber Security Training - Internal, External, Online and Distance Learning 2
R Medical Device Cyber Security Third Party Review Other US Medical Device Regulations 6
V 510(K) Cyber Security Documentation for Pre-market Submission (Templates) Other US Medical Device Regulations 6
C FDA Requirements and Cyber Information Security Other US Medical Device Regulations 3
M Efficacy of an IT process after a cyber attack ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
Marc Cyber Cafe in a Shipping Container After Work and Weekend Discussion Topics 0
Wes Bucey Who do YOU trust? Alleged cyber-hijacker in court World News 0
Marc Secretaries sacked after cyber brawl Career and Occupation Discussions 1
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
Richard Regalado Automotive News TISAX - VDA ISA (information security assessment) VDA Standards - Germany's Automotive Standards 5
Marc Security in Health Industry Software - February 2020 IEC 27001 - Information Security Management Systems (ISMS) 0
C Security and access in cGMP facilities Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
A Bookmarking my security protected IEC 60601-1 .pdf file IEC 60601 - Medical Electrical Equipment Safety Standards Series 16
Z Security for Approvals - Cloud based Complaint, NC, and CAPA systems Qualification and Validation (including 21 CFR Part 11) 8
M How To Define ISMS (information Security Management System) Scope IEC 27001 - Information Security Management Systems (ISMS) 18
R Validation of mobile app and cloud servers for data security IEC 62304 - Medical Device Software Life Cycle Processes 4
S In a risk analysis, how can we tie mobile app security breach to ISO 14971? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
A Integration of Information Security in an existent Integrated Management System IEC 27001 - Information Security Management Systems (ISMS) 4
P Do we need equipment stock control for security company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Paul Simpson Does Knowledge Management include aspects of Information Security? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
N Anyone working on NIST SP 800-171 (Network and Information Security)? Records and Data - Quality, Legal and Other Evidence 4
R Internal Audit of Information Security and Data Protection Internal Auditing 6
A How to rollout Security Awarness at Project Level in the Organisation IEC 27001 - Information Security Management Systems (ISMS) 1
K ISO/IEC 27000, ISO 15408 and the DSS security clearance (FCL) -- Oh, My IEC 27001 - Information Security Management Systems (ISMS) 0
Sidney Vianna Sector specific Information Security ISO Management System Standards IEC 27001 - Information Security Management Systems (ISMS) 1
H ISMS (information security management system) Manual ISO27001:2013 Example wanted IEC 27001 - Information Security Management Systems (ISMS) 6
A Creating a policy to evaluate the Third Party Security IEC 27001 - Information Security Management Systems (ISMS) 4
N Computer System Access and Security Procedure example wanted 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
A Medical Device Testing for Airport Security US Food and Drug Administration (FDA) 5
Q ISO 9001 Requirement Dilemma - Security Aspects Quality Management System (QMS) Manuals 14
M Does anyone here have experience implementing PCI DSS (Data Security Standard) IEC 27001 - Information Security Management Systems (ISMS) 10
Richard Regalado 2014 Information Security Breaches Survey by PWC IEC 27001 - Information Security Management Systems (ISMS) 1
Jim Wynne Windows 8.1: No Security Updates Without Update 1 After Work and Weekend Discussion Topics 4
R Security Standard referred to as TAPA (Transported Asset Protection Association) Other ISO and International Standards and European Regulations 1
Colin Objectives Form - Format for Documenting Information Security Objectives IEC 27001 - Information Security Management Systems (ISMS) 2
L Implementing ISO 27001 A12.1.1 Security Requirements Analysis and Specification IEC 27001 - Information Security Management Systems (ISMS) 2
R Who is regulating Security Alarm Codes? Coffee Break and Water Cooler Discussions 8
D Please help for the CISSP (Certified Information Systems Security Professional) Exam Professional Certifications and Degrees 2
AnaMariaVR2 ISO 22322 & ISO 22324 - Societal security ? Emergency Management Other ISO and International Standards and European Regulations 0
L A 6.1.8 Independent review of information security question IEC 27001 - Information Security Management Systems (ISMS) 1
T Has anyone done both Quality and Facility Security Officer (FSO) roles ? Career and Occupation Discussions 8
R ISO 13485 - Security and Control of ERP System ISO 13485:2016 - Medical Device Quality Management Systems 1
B Lessons Learnt template - Information Security Management System Experiences Document Control Systems, Procedures, Forms and Templates 1
M Business Case for ISMS (Information Security Management System) IEC 27001 - Information Security Management Systems (ISMS) 1
D U.S. Department of Commerce, Bureau of Industry and Security survey Various Other Specifications, Standards, and related Requirements 1
Marc Security holes enable attackers to switch off pacemakers World News 3
R ISO 27001 A.8.2.2 Information Security Awareness, Education and Training IEC 27001 - Information Security Management Systems (ISMS) 10
K Effectiveness of ISMS (Information Security Management System) Controls Measurement IEC 27001 - Information Security Management Systems (ISMS) 3

Similar threads

Top Bottom