Can YOU help? --> Unanswered questions <-- (Other than Marcelo's Informational posts)

Medical Device Cyber Security Third Party Review

R

raqark

#1
Hello,

I was hoping to get some input on what services (certification agencies) are out there for a medical device manufacturer to get a cyber security review and certification, if possible. Also what would such a review entail? Thanks!
 

yodon

Staff member
Super Moderator
#3
To my knowledge, there aren't any agencies or reviewers that would issue any certifications related to cybersecurity. That would seemingly imply liability that I can't imagine anyone would want to take on!

Here are a few links to FDA guidance docs. The first does a pretty good job of laying out expectations for what you should address regarding cybersecurity:
* http://www.fda.gov/downloads/Medica...onandGuidance/GuidanceDocuments/UCM356190.pdf
* http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm
* http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm070634.htm

Certainly some expert help (e.g., ostensibly the reference Sreenu provided - but there are others) could provide guidance and/or help gather evidence of due diligence.
 
R

raqark

#4
Thanks for the responses!
I came across the following article that talks about how effectively risk management of medical device addresses software cybersecurity. I cannot post the link , but here are the article details, please look it up.

Observations on the Risk Management of Medical Device and Software Cybersecurity - by Jeff Bell, Director of IT Security and Risk Services, CareTech November 10, 2014

I believe the industry is moving towards the perception that internal processes that identify and mitigate security level risks may be considered insufficient and a third party security review might be expected from medical device manufacturers. See excerpt below:

'While it is reassuring to know that this vendor performed a risk assessment and implemented improved security measures as a result of the assessment, it is not too much to expect third-party validation of the application security and greater transparency about the results. The stakes are just too high to accept less. '
 
M

MedTechSoftware

#7
I believe that provided the analysis and testing is done, it shouldn't be mandatory that a third party conducts these activities.
 
Last edited by a moderator:

Top Bottom