In a risk analysis, how can we tie mobile app security breach to ISO 14971?

[snoopy2017]

Hi everyone,

In a risk analysis, how can we tie security breach (e.g. losing confidentiality of patient information) to ISO 14971? What is the severity level of harm for loss of confidentiality of information in a mobile app? I would think we should do that exploitability analysis first as per FDA's 2016 guidance on cybersecurity. Has anyone had first hand experience doing this analysis tied to 14971? If so, could you provide some guidance or a sample template of this type of a security risk analysis? Thank you. I would appreciate any reply.

 

[yodon]

One way is to incorporate in a Software FMEA. The 'harm' indeed gets a little wonky.

There's a new guidance: https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm623529.pdf

 

[QAengineer13]

I would highly recommend you purchasing and reading AAMI TIR 57 Principles for medical device security which addresses security risk management in the context of ISO 14971, it creates a clear linkages between consideration of safety and security, this TIR is recognized by the FDA and referenced in their post market guidance .

Example: Images from the TIR 57






Anothe recommendation is EN 82304-1 Health Software General requirmetns for product safety to look into which applies to the SAFETY and SECURITY of Health Software Products designed to operate on general computing platforms and intended to be placed on the market without dedicated hardware.

-Rk

 

[Mark Meer]

Haven't had to go through the process myself (yet), but at the highest level of assessing potential harm, perhaps start by assessing:

- Can a breach be used to interfere with the device function?
- Can a breach be used to corrupt/overwrite existing data? If so, what would be the worst-case result?
- Can data potentially stolen/read in event of breach be used to personally identify a patient?
- Can this data be used to infer patient diagnoses and treatments?

Perhaps a bit simplistic depending on your application, but a starting point for what it's worth...
MM.

 

[tomshoup]

The short answer to snoopy2017's question is to use the steps of 14971 to assess the cyber risk: RISK ANALYSIS: identify the hazard (loss of confidentiality), identify the sequence of events that can lead to such a breach, identify the resuting hazardous situation (loss of confidentiality = HIPPA violation, public exposure, etc.), identify the severity and probability. Then RISK EVALUATION: is this risk acceptable. If the risk is acceptable, stop. If the risk is not acceptable, identify and implement control measures to reduce the risk and verify their implementation and effectiveness.

FDA's guidance on cybersecurity as it relates to submissions parallels 14971:


Also, the Open Web Application Security Project has a good discussion on threat modeling that will help with this.
www.owasp.org/index.php/Application_Threat_Modeling.

Regards,
Tom