Testing cloud-based backups

psp1234

Involved In Discussions
#1
Hi,
Not sure if I should post here in "13485", but I'll start here.
My auditor, for ISO 13485, was concerned that we don't have a plan to test cloud-based applications' backup.
Our cloud-based apps are hosted by AWS.
What is you recommendation to approach towards testing the backup?
It appears that the expectation is to call our contractor (the app owner) and ask for a file recovery from AWS - in a certain frequency.
Does it make sense? is it an overkill? or enough to say that AWS is ISO 27001 certified and this testing activity is "covered by the certification"?

happy to hear advice,
thx
Sue
 
Elsmar Forum Sponsor

Tagin

Trusted Information Resource
#2
AWS may provide a reliable hosting platform, but the app owner is responsible for configuration of teh software and accounts that sit on top of that platform, including configuring backups. There have been endless stories of how misconfigured S3 buckets have allowed access to confidential data, and the example of the case linked below where backups were performed, but the backups were on the same AWS account as the main servers, so once a hacker got in, he was able to delete both the production servers and all the backups, putting the company out of business.

My point is that it is not merely testing the app owner's backup plan that is a potential risk; it is also all the risks associated with configuration, which depends on how competent and diligent are the app owners at securely configuring the app and the AWS accounts.

Leaky AWS S3 buckets are so common, they're being found by the thousands now – with lots of buried secrets
Hacker Puts Hosting Service Code Spaces Out of Business
 

psp1234

Involved In Discussions
#3
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(
 

Ninja

Looking for Reality
Trusted Information Resource
#4
If it were me (and it was) I would pretend that my site went offline totally.

You aren't testing AWS...you are testing the purpose for having backups at all...catastrophic accident requiring the backup.

AWS is part of your BCP...test the BCP as a whole.
Where will you access the backup from? Go there.
What terminal/computer will you use? Use that one.
How will you operate? Operate that way.

That's how you test the 'real world scenario' of "I need a backup".
Because of the cost, we tested it once... then tested the particular items of highest concern yearly.

Items of highest concern:
Computer data: develop a list of what you want most, download those items, check them.
Calling the remote rental site to review contract.

HTH
 

Tagin

Trusted Information Resource
#5
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(
Unless they give you transparency to their procedures and security settings, you can't really tell. You can perhaps see if they can provide you some certifications for IT management and IT cybersecurity, or some kind of report they can provide you to which shows the controls and risk mgmt they are performing (and then, do you trust the report to be truthful?) Otherwise, aside from auditing them, your kind of stuck with a reputation-based assessment.
 

Ed Panek

QA RA Small Med Dev Company
Trusted Information Resource
#7
You will need to do what others have said and probably more for GDPR & the new California regs if you are larger company.
 
Thread starter Similar threads Forum Replies Date
J Cochlear Implant Testing 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
A Class I (exempt) testing requirements Other Medical Device Related Standards 0
JoCam Electrical Testing for Japan, PSE or CB Scheme Other Medical Device Regulations World-Wide 0
M Who are the go to companies for non-destructive hardness testing? General Measurement Device and Calibration Topics 3
M Determining if an Insulin Pen Testing Machine is a Medical Device? EU Medical Device Regulations 4
I IATF Lab Scope Testing Qualification and Competency Documentation IATF 16949 - Automotive Quality Systems Standard 3
N Chemical Testing on Medical Devices - Solutions in a container closure system (bag) EU Medical Device Regulations 1
M Comparing data from destructive testing Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
T Flammability testing Reliability Analysis - Predictions, Testing and Standards 0
E Manufacturers should develop a testing device for covid19 Service Industry Specific Topics 0
K When is Bioburden Testing Required? Other Medical Device Related Standards 4
K IEC 62304 - Testing Independance IEC 62304 - Medical Device Software Life Cycle Processes 5
A ANSI/AAMI versions of 60601-1-2 and related testing requirements Other Medical Device Related Standards 0
C Surgical mask stability testing (CE mark) EU Medical Device Regulations 2
Beliz Biocompatibility Testing for Laser Epilation Device EU Medical Device Regulations 2
C One Time Service Supplier - Temperature and Humidity Testing Service ISO 13485:2016 - Medical Device Quality Management Systems 5
D IEC 60601-1 - Service life testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
P Flammability Testing of Aircraft Interior Materials Federal Aviation Administration (FAA) Standards and Requirements 0
N Usability testing required for FDA IDE (investigational device exemption)? Human Factors and Ergonomics in Engineering 3
E ASTM F2118 - Fatigue testing of bone cement - Changes between the 2003 and the 2014? Other Medical Device Related Standards 1
K Biocompatibility Testing - Multile products of different sizes and shapes US Food and Drug Administration (FDA) 2
S Requirement to Conduct New Shelf-life Testing? (re-do testing for design change) EU Medical Device Regulations 3
JoCam Mobile Patient Hoists and Electrical Testing Other Medical Device Related Standards 0
T Interlaboratory comparison or proficiency testing in destructive testing of welded joints ISO 17025 related Discussions 3
B ASTM E18-2020 - Rockwell testing standard changes? General Measurement Device and Calibration Topics 2
U Medical Device Design finalization testing ISO 13485:2016 - Medical Device Quality Management Systems 2
Jane's Like-for-like critical raw material change qualification - type of testing/ number of lots required ISO 13485:2016 - Medical Device Quality Management Systems 4
J Conflict of Interest Registrar/Notified Body/Testing House Quality Manager and Management Related Issues 4
M Inter-operator Variability Testing - Requirements for EU Medical Device Regulations 5
S High voltage testing - ISO 17025 - 7.2.2 Validation of methods and 7.3 Sampling ISO 17025 related Discussions 3
M Production approval testing - Alternative ideas for Validation Reliability Analysis - Predictions, Testing and Standards 4
JoCam MDL in Canada without Canadian Electrical Testing Canada Medical Device Regulations 0
T HF testing / Summative evaluation for MDDS class I necessary? Human Factors and Ergonomics in Engineering 2
K Diagnostic X-ray devices - Applicability of Biocompatibility Testing per ISO 10993-1 Manufacturing and Related Processes 7
K Proper document of SMPS used in infant warmer for IEC 60601-1 testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
K Sequence of testing in IEC 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
M Workplace Drug Testing in 2020 Misc. Quality Assurance and Business Systems Related Topics 9
W ASTM F1929 dye penetration test - Validation for in-house testing ISO 13485:2016 - Medical Device Quality Management Systems 13
J FDA wants electrical safety testing on battery powered medical device US Food and Drug Administration (FDA) 11
S Internal calibrations - Part of an ISO 17025 accredited testing laboratory (Automotive) ISO 17025 related Discussions 3
T Qualification testing of Lead acid batteries Reliability Analysis - Predictions, Testing and Standards 0
D Sterility and BioBurden Testing for Plastics ISO 13485:2016 - Medical Device Quality Management Systems 5
DitchDigger IEC 60601-1 subclause 5.1 - Adequate evaluation in lieu of testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
E Correct way to certify hydrostatic testing when it is not 100% (and Sample Size) Various Other Specifications, Standards, and related Requirements 6
MrTetris Are GLP required for testing cytotoxicity and soil remaining after sterilization of MD? Other Medical Device Related Standards 8
D Design Verification - Is testing required? Design and Development of Products and Processes 5
M Specific Absorption Rate (SAR) Testing - What Standard to Use? Other ISO and International Standards and European Regulations 1
N IATF 16949:2016 7.1.5.3.2 External Laboratory - How to approve the Testing Laboratory without accreditation scope IATF 16949 - Automotive Quality Systems Standard 2
T Spirometer - Pulmonary Function Testing - ATS/ERS:2005 EU Medical Device Regulations 5
M 510(k) 10993 Biocompability Testing Other US Medical Device Regulations 15

Similar threads

Top Bottom