In a risk analysis, how can we tie mobile app security breach to ISO 14971?

#1
Hi everyone,

In a risk analysis, how can we tie security breach (e.g. losing confidentiality of patient information) to ISO 14971? What is the severity level of harm for loss of confidentiality of information in a mobile app? I would think we should do that exploitability analysis first as per FDA's 2016 guidance on cybersecurity. Has anyone had first hand experience doing this analysis tied to 14971? If so, could you provide some guidance or a sample template of this type of a security risk analysis? Thank you. I would appreciate any reply.
 
Elsmar Forum Sponsor

QAengineer13

Quite Involved in Discussions
#3
I would highly recommend you purchasing and reading AAMI TIR 57 Principles for medical device security which addresses security risk management in the context of ISO 14971, it creates a clear linkages between consideration of safety and security, this TIR is recognized by the FDA and referenced in their post market guidance .

Example: Images from the TIR 57

1540853190526.png


1540853158328.png



Anothe recommendation is EN 82304-1 Health Software General requirmetns for product safety to look into which applies to the SAFETY and SECURITY of Health Software Products designed to operate on general computing platforms and intended to be placed on the market without dedicated hardware.

-Rk
 

Mark Meer

Trusted Information Resource
#4
Haven't had to go through the process myself (yet), but at the highest level of assessing potential harm, perhaps start by assessing:

- Can a breach be used to interfere with the device function?
- Can a breach be used to corrupt/overwrite existing data? If so, what would be the worst-case result?
- Can data potentially stolen/read in event of breach be used to personally identify a patient?
- Can this data be used to infer patient diagnoses and treatments?

Perhaps a bit simplistic depending on your application, but a starting point for what it's worth...
MM.
 

tomshoup

Starting to get Involved
#5
The short answer to snoopy2017's question is to use the steps of 14971 to assess the cyber risk: RISK ANALYSIS: identify the hazard (loss of confidentiality), identify the sequence of events that can lead to such a breach, identify the resuting hazardous situation (loss of confidentiality = HIPPA violation, public exposure, etc.), identify the severity and probability. Then RISK EVALUATION: is this risk acceptable. If the risk is acceptable, stop. If the risk is not acceptable, identify and implement control measures to reduce the risk and verify their implementation and effectiveness.

FDA's guidance on cybersecurity as it relates to submissions parallels 14971:
1550878828166.png


Also, the Open Web Application Security Project has a good discussion on threat modeling that will help with this.
www.owasp.org/index.php/Application_Threat_Modeling.

Regards,
Tom 1550878828166.png
 
Thread starter Similar threads Forum Replies Date
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 2
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
M IATF 16949 (6.1.1 - Planning and Risk Analysis for a remote site) Process Maps, Process Mapping and Turtle Diagrams 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
M An example of risk analysis of class I MD ISO 14971 - Medical Device Risk Management 36
T Risk analysis of QMS software - Validating software we use for QMS ISO 13485:2016 - Medical Device Quality Management Systems 5
B Grouping of Products for Risk Analysis ISO 14971 - Medical Device Risk Management 9
A Risk-benefit Analysis - Hazard Analysis (HA) and FMEAs ISO 14971 - Medical Device Risk Management 17
R The difference b/w FMEA & Risk analysis as per iso 14971 ISO 14971 - Medical Device Risk Management 8
K Risk Analysis Updates due to complaints ISO 14971 - Medical Device Risk Management 10
S The Severity of a Medical Device Hazard - Risk Analysis Clarification ISO 14971 - Medical Device Risk Management 6
Ed Panek Transition to IEC 60601 4th Edition - Risk Analysis and test submissions CE Marking (Conformité Européene) / CB Scheme 2
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
R IATF 16949 Clause 6.1.2.1 - Lessons Learned and Risk Analysis IATF 16949 - Automotive Quality Systems Standard 6
S Risk analysis 6.1 and contingency plans 6.1.2.3, are they related? IATF 16949 - Automotive Quality Systems Standard 26
B Software Class A - Lengthy further risk analysis IEC 62304 - Medical Device Software Life Cycle Processes 9
W Biocompatibility Risk Analysis for Clinical Practitioner 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
F Risk Analysis of a Medical Device Accessory ISO 14971 - Medical Device Risk Management 4
S How we can use risk analysis for suppliers IATF 16949 - Automotive Quality Systems Standard 6
I Medical Device Software Risk Analysis ISO 14971 - Medical Device Risk Management 4
Q Risk Analysis - Same Risk Treatment for Context and Interested Parties ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
C Risk Analysis for COTS/OTS Risk Management Principles and Generic Guidelines 4
M IATF 16949 Cl. 8.7.1.4 - Risk analysis for decision making about rework IATF 16949 - Automotive Quality Systems Standard 2
E Risk Analysis - Events which may cause to Data Loss ISO 14971 - Medical Device Risk Management 12
W Risk Benefit Analysis - ISO 14971:2012 Requirements ISO 14971 - Medical Device Risk Management 27
F Medical Device HACCP (Hazard Analysis and Critical Control Point) Risk Management ISO 14971 - Medical Device Risk Management 2
Q Risk Tools in ISO 31010 - Root Cause Analysis vs. Cause-and-effect Analysis ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
S Organizing Risk Analysis and Controls for a New Medical Device (ISO 14971) ISO 14971 - Medical Device Risk Management 4
S Please review my Risk Analysis Table ISO 14971 - Medical Device Risk Management 13
K Risk Analysis and "Information for Safety" / Labeling ISO 14971 - Medical Device Risk Management 10
M Risk analysis - ISO/TS 16949 clause 7.2.2.2 IATF 16949 - Automotive Quality Systems Standard 2
C Help with Risk/Benefit Analysis Self-help Device for Diabetics ISO 14971 - Medical Device Risk Management 3
A FTA-Top/Down approach to Risk Analysis ISO 14971 - Medical Device Risk Management 2
A Industry best practice about Post-Market Surveillance and Risk Analysis ISO 14971 - Medical Device Risk Management 6
T Risk Analysis help for CE Marking Class I Medical Device ISO 14971 - Medical Device Risk Management 10
T Risk Analysis for moving manufacturing equipment ISO 14971 - Medical Device Risk Management 17
D Different kinds of Risk Analysis for various Hazards ISO 14971 - Medical Device Risk Management 3
L GHTF/SG3/N15R8 - Process Validation and Risk Analysis ISO 13485:2016 - Medical Device Quality Management Systems 4
R Risk Analysis of Class IIb Disinfectant ISO 14971 - Medical Device Risk Management 6
J Does anyone have an example of Risk-Benefit Analysis per ISO 14971? Other ISO and International Standards and European Regulations 2
P FMEA Risk Analysis Recommended Action Priority FMEA and Control Plans 2
N ISO 14971 Risk Analysis - Sections 4.2 and 4.3 ISO 14971 - Medical Device Risk Management 2
D ISO 14971 - Risk Analysis Best Practices ISO 14971 - Medical Device Risk Management 5
S Internal Audit Plan per Risk Analysis Internal Auditing 5
K RISK ANALYSIS SAMPLE according to Annex ZA of EN ISO-14971-2012 Other Medical Device and Orthopedic Related Topics 1
S Help me with preparing Internal Audit Schedule based on Risk analysis 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
R Risk Analysis and Hazard Identification concerning Clinical Decision Support Systems ISO 14971 - Medical Device Risk Management 1
A Should Intentional Misuse be covered in the Risk Analysis under ISO 62366? IEC 62366 - Medical Device Usability Engineering 3
R Risk Register, Risk Analysis and Risk Response/Treatment IEC 27001 - Information Security Management Systems (ISMS) 5
Similar threads


















































Top Bottom