As some of the comments above suggested, building a parallel cybersecurity path for the product, with integration into existing QMS processes is one that seems to be working with many manufacturers. Specifically for risk assessment, all gaps identified in the threat model, security testing and missing controls should be evaluated from a cybersecurity perspective. Many in the industry leverage the Common Vulnerability Scoring System (CVSS) to perform this assessment and risks that cross a certain scoring threshold are then pulled forward into the safety risk assessment. Mitre has also released a CVSS rubric for healthcare, to be used with medical devices.
This is what a high level process would look like:
- Identify all gaps that could be risks
- Perform a CVSS assessment
- Determine the appropriate threshold for your organization and require those above that to have a safety risk assessment performed, those below do not. However, cybersecurity risks that do not impact patient safety may still require routine updates or patches
- Perform a safety risk assessment - if possible utilize CVSS as the P values and keep the severity of impact as is, with the pre-defined hazards list
- Determine next steps
- Document all decisions, even if it is determined a risk is low and requires no remediation
The list above identifies the steps for performing this work on a product during design & development. You should also consider how to integrate cybersecurity with the QMS, such that it is part of the process and is repeatable.
Let me know if you have any additional questions on this, as I've been working specifically on device cybersecurity since the 2014 guidance came out (including successful PMA/510K approvals).
Thanks,
Colin Morgan
Managing Director
Apraciti, Medical Device Cybersecurity
[email protected]