Medical Device Cyber Security Third Party Review

[raqark]

Hello,

I was hoping to get some input on what services (certification agencies) are out there for a medical device manufacturer to get a cyber security review and certification, if possible. Also what would such a review entail? Thanks!

 

[sreenu927]

Hi raqark,

You may check from the below:
http://www.shoebarassoc.com

Regards,
Sreenu

 

[yodon]

To my knowledge, there aren't any agencies or reviewers that would issue any certifications related to cybersecurity. That would seemingly imply liability that I can't imagine anyone would want to take on!

Here are a few links to FDA guidance docs. The first does a pretty good job of laying out expectations for what you should address regarding cybersecurity:
* http://www.fda.gov/downloads/Medica...onandGuidance/GuidanceDocuments/UCM356190.pdf
* http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm
* http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm070634.htm

Certainly some expert help (e.g., ostensibly the reference Sreenu provided - but there are others) could provide guidance and/or help gather evidence of due diligence.

 

[raqark]

Thanks for the responses!
I came across the following article that talks about how effectively risk management of medical device addresses software cybersecurity. I cannot post the link , but here are the article details, please look it up.

Observations on the Risk Management of Medical Device and Software Cybersecurity - by Jeff Bell, Director of IT Security and Risk Services, CareTech November 10, 2014

I believe the industry is moving towards the perception that internal processes that identify and mitigate security level risks may be considered insufficient and a third party security review might be expected from medical device manufacturers. See excerpt below:

'While it is reassuring to know that this vendor performed a risk assessment and implemented improved security measures as a result of the assessment, it is not too much to expect third-party validation of the application security and greater transparency about the results. The stakes are just too high to accept less. '

 

[yodon]

Here's the link for anyone following: http://www.himss.org/News/NewsDetail.aspx?ItemNumber=34649

In general, I think independence in any testing results results more robust testing. Especially in cybersecurity where the playing field is changing so rapidly, outside expertise can more effectively and more efficiently assess the system.

 

[c.mitch]

Hi
My 2 cents
Did you think about iso 27001 certification?

 

[MedTechSoftware]

I believe that provided the analysis and testing is done, it shouldn't be mandatory that a third party conducts these activities.