Testing cloud-based backups

psp1234

Involved In Discussions
#1
Hi,
Not sure if I should post here in "13485", but I'll start here.
My auditor, for ISO 13485, was concerned that we don't have a plan to test cloud-based applications' backup.
Our cloud-based apps are hosted by AWS.
What is you recommendation to approach towards testing the backup?
It appears that the expectation is to call our contractor (the app owner) and ask for a file recovery from AWS - in a certain frequency.
Does it make sense? is it an overkill? or enough to say that AWS is ISO 27001 certified and this testing activity is "covered by the certification"?

happy to hear advice,
thx
Sue
 
Elsmar Forum Sponsor

Tagin

Trusted Information Resource
#2
AWS may provide a reliable hosting platform, but the app owner is responsible for configuration of teh software and accounts that sit on top of that platform, including configuring backups. There have been endless stories of how misconfigured S3 buckets have allowed access to confidential data, and the example of the case linked below where backups were performed, but the backups were on the same AWS account as the main servers, so once a hacker got in, he was able to delete both the production servers and all the backups, putting the company out of business.

My point is that it is not merely testing the app owner's backup plan that is a potential risk; it is also all the risks associated with configuration, which depends on how competent and diligent are the app owners at securely configuring the app and the AWS accounts.

Leaky AWS S3 buckets are so common, they're being found by the thousands now – with lots of buried secrets
Hacker Puts Hosting Service Code Spaces Out of Business
 

psp1234

Involved In Discussions
#3
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(
 

Ninja

Looking for Reality
Staff member
Super Moderator
#4
If it were me (and it was) I would pretend that my site went offline totally.

You aren't testing AWS...you are testing the purpose for having backups at all...catastrophic accident requiring the backup.

AWS is part of your BCP...test the BCP as a whole.
Where will you access the backup from? Go there.
What terminal/computer will you use? Use that one.
How will you operate? Operate that way.

That's how you test the 'real world scenario' of "I need a backup".
Because of the cost, we tested it once... then tested the particular items of highest concern yearly.

Items of highest concern:
Computer data: develop a list of what you want most, download those items, check them.
Calling the remote rental site to review contract.

HTH
 

Tagin

Trusted Information Resource
#5
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(
Unless they give you transparency to their procedures and security settings, you can't really tell. You can perhaps see if they can provide you some certifications for IT management and IT cybersecurity, or some kind of report they can provide you to which shows the controls and risk mgmt they are performing (and then, do you trust the report to be truthful?) Otherwise, aside from auditing them, your kind of stuck with a reputation-based assessment.
 

Ed Panek

QA RA Small Med Dev Company
Trusted Information Resource
#7
You will need to do what others have said and probably more for GDPR & the new California regs if you are larger company.
 

Ed Panek

QA RA Small Med Dev Company
Trusted Information Resource
#8
Is there a forum for GDPR? I have a few templates I can link there since we self-certified this year.
 
Thread starter Similar threads Forum Replies Date
M Issues with leakage current testing for a CLASS II device since no PE and FE is present IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
M Testing criteria - where to place Design and Development of Products and Processes 2
E 60601-1 - Tilt testing - Tensile safety factor IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
V Setup for testing against ISO14708 clause 16 (protection of the patient from herms caused by heat) Other Medical Device Related Standards 0
gramps What do you think about automated QA testing For software app industry? Misc. Quality Assurance and Business Systems Related Topics 5
B In house NIOSH pre Testing accepted by NIOSH? US Food and Drug Administration (FDA) 1
M Bacteriostasis/Fungistasis Testing Other Medical Device and Orthopedic Related Topics 6
P Sample Size for Distribution Simulation Testing Inspection, Prints (Drawings), Testing, Sampling and Related Topics 11
N EN 813, EN 12277, EN 1497 - Testing some harness prototypes to an EN standard Various Other Specifications, Standards, and related Requirements 0
S What should i choose for "testing procedure" characteristics? (N95) General Information Resources 0
D Essential performance and EMC immunity testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
J Biocompatbility testing on Class 1 device requirements Other US Medical Device Regulations 12
Q Summative Usability Evaluation Testing: prior or during Clinical Investigation? Human Factors and Ergonomics in Engineering 6
B NIOSH Approval for Surgical N95 Respirators - Required testing US Food and Drug Administration (FDA) 2
M ECG lead leakage currents - How to specify ECG leads during electrical safety testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
C Stress / Challenge Conditions for Design Verification Testing to Reduce Sample Size 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 11
D CFR Title 14: Aeronautics and Space PART 120—DRUG AND ALCOHOL TESTING PROGRAM Federal Aviation Administration (FAA) Standards and Requirements 3
lanley liao Purchase Acceptance Criteria - Tensile testing Oil and Gas Industry Standards and Regulations 2
M Device mounted at IV pole - what about mechanical stability testing? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A Outsourcing IEC 60601-1 Ed 3.2 Testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
J Cochlear Implant Testing 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
A Class I (exempt) testing requirements Other Medical Device Related Standards 0
JoCam Electrical Testing for Japan, PSE or CB Scheme Other Medical Device Regulations World-Wide 0
M Who are the go to companies for non-destructive hardness testing? General Measurement Device and Calibration Topics 3
M Determining if an Insulin Pen Testing Machine is a Medical Device? EU Medical Device Regulations 4
I IATF Lab Scope Testing Qualification and Competency Documentation IATF 16949 - Automotive Quality Systems Standard 3
N Chemical Testing on Medical Devices - Solutions in a container closure system (bag) EU Medical Device Regulations 1
M Comparing data from destructive testing Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
T Flammability testing Reliability Analysis - Predictions, Testing and Standards 0
E Manufacturers should develop a testing device for covid19 Service Industry Specific Topics 0
K When is Bioburden Testing Required? Other Medical Device Related Standards 4
K IEC 62304 - Testing Independance IEC 62304 - Medical Device Software Life Cycle Processes 5
A ANSI/AAMI versions of 60601-1-2 and related testing requirements Other Medical Device Related Standards 3
C Surgical mask stability testing (CE mark) EU Medical Device Regulations 2
Beliz Biocompatibility Testing for Laser Epilation Device EU Medical Device Regulations 2
C One Time Service Supplier - Temperature and Humidity Testing Service ISO 13485:2016 - Medical Device Quality Management Systems 5
D IEC 60601-1 - Service life testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
P Flammability Testing of Aircraft Interior Materials Federal Aviation Administration (FAA) Standards and Requirements 0
N Usability testing required for FDA IDE (investigational device exemption)? Human Factors and Ergonomics in Engineering 8
E ASTM F2118 - Fatigue testing of bone cement - Changes between the 2003 and the 2014? Other Medical Device Related Standards 1
K Biocompatibility Testing - Multile products of different sizes and shapes US Food and Drug Administration (FDA) 2
S Requirement to Conduct New Shelf-life Testing? (re-do testing for design change) EU Medical Device Regulations 3
JoCam Mobile Patient Hoists and Electrical Testing Other Medical Device Related Standards 0
T Interlaboratory comparison or proficiency testing in destructive testing of welded joints ISO 17025 related Discussions 3
B ASTM E18-2020 - Rockwell testing standard changes? General Measurement Device and Calibration Topics 2
U Medical Device Design finalization testing ISO 13485:2016 - Medical Device Quality Management Systems 2
Jane's Like-for-like critical raw material change qualification - type of testing/ number of lots required ISO 13485:2016 - Medical Device Quality Management Systems 4
J Conflict of Interest Registrar/Notified Body/Testing House Quality Manager and Management Related Issues 4
M Inter-operator Variability Testing - Requirements for EU Medical Device Regulations 5
S High voltage testing - ISO 17025 - 7.2.2 Validation of methods and 7.3 Sampling ISO 17025 related Discussions 3

Similar threads

Top Bottom