Testing cloud-based backups

psp1234

Involved In Discussions
#1
Hi,
Not sure if I should post here in "13485", but I'll start here.
My auditor, for ISO 13485, was concerned that we don't have a plan to test cloud-based applications' backup.
Our cloud-based apps are hosted by AWS.
What is you recommendation to approach towards testing the backup?
It appears that the expectation is to call our contractor (the app owner) and ask for a file recovery from AWS - in a certain frequency.
Does it make sense? is it an overkill? or enough to say that AWS is ISO 27001 certified and this testing activity is "covered by the certification"?

happy to hear advice,
thx
Sue
 
Elsmar Forum Sponsor

Tagin

Trusted Information Resource
#2
AWS may provide a reliable hosting platform, but the app owner is responsible for configuration of teh software and accounts that sit on top of that platform, including configuring backups. There have been endless stories of how misconfigured S3 buckets have allowed access to confidential data, and the example of the case linked below where backups were performed, but the backups were on the same AWS account as the main servers, so once a hacker got in, he was able to delete both the production servers and all the backups, putting the company out of business.

My point is that it is not merely testing the app owner's backup plan that is a potential risk; it is also all the risks associated with configuration, which depends on how competent and diligent are the app owners at securely configuring the app and the AWS accounts.

Leaky AWS S3 buckets are so common, they're being found by the thousands now – with lots of buried secrets
Hacker Puts Hosting Service Code Spaces Out of Business
 

psp1234

Involved In Discussions
#3
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(
 

Ninja

Looking for Reality
Trusted Information Resource
#4
If it were me (and it was) I would pretend that my site went offline totally.

You aren't testing AWS...you are testing the purpose for having backups at all...catastrophic accident requiring the backup.

AWS is part of your BCP...test the BCP as a whole.
Where will you access the backup from? Go there.
What terminal/computer will you use? Use that one.
How will you operate? Operate that way.

That's how you test the 'real world scenario' of "I need a backup".
Because of the cost, we tested it once... then tested the particular items of highest concern yearly.

Items of highest concern:
Computer data: develop a list of what you want most, download those items, check them.
Calling the remote rental site to review contract.

HTH
 

Tagin

Trusted Information Resource
#5
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(
Unless they give you transparency to their procedures and security settings, you can't really tell. You can perhaps see if they can provide you some certifications for IT management and IT cybersecurity, or some kind of report they can provide you to which shows the controls and risk mgmt they are performing (and then, do you trust the report to be truthful?) Otherwise, aside from auditing them, your kind of stuck with a reputation-based assessment.
 

Ed Panek

QA RA Small Med Dev Company
Staff member
Super Moderator
#7
You will need to do what others have said and probably more for GDPR & the new California regs if you are larger company.
 

Ed Panek

QA RA Small Med Dev Company
Staff member
Super Moderator
#8
Is there a forum for GDPR? I have a few templates I can link there since we self-certified this year.
 
Thread starter Similar threads Forum Replies Date
J Impact Testing--Is conversion between Izod and Sharpy Possible? General Measurement Device and Calibration Topics 3
O Should a Covid vaccine and testing policy be included as part of ISO9001 or AS9100 risk management? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
V How to select the tests for proficiency testing Measurement Uncertainty (MU) 0
B Customer Preference Testing Customer and Company Specific Requirements 2
N Pre-Clinical Performance Testing Design and Development of Products and Processes 3
I Software (SaMD) mobile application verification testing: objective evidence Medical Information Technology, Medical Software and Health Informatics 2
I How to find required testing for a specific device? Other US Medical Device Regulations 3
J CQI-9v4 Alternative TUS Testing Methods Various Other Specifications, Standards, and related Requirements 0
M ASTM F1717 Static and Dynamic Testing 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
T Mold Limits for Microbiology Testing Other Medical Device Related Standards 3
S Orthopedic implant sterility testing Medical Device and FDA Regulations and Standards News 1
H Independence between the development and testing IEC 62304 - Medical Device Software Life Cycle Processes 6
M Issues with leakage current testing for a CLASS II device since no PE and FE is present IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
M Testing criteria - where to place Design and Development of Products and Processes 2
E 60601-1 - Tilt testing - Tensile safety factor IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
V Setup for testing against ISO14708 clause 16 (protection of the patient from herms caused by heat) Other Medical Device Related Standards 0
gramps What do you think about automated QA testing For software app industry? Misc. Quality Assurance and Business Systems Related Topics 5
B In house NIOSH pre Testing accepted by NIOSH? US Food and Drug Administration (FDA) 1
M Bacteriostasis/Fungistasis Testing Other Medical Device and Orthopedic Related Topics 6
P Sample Size for Distribution Simulation Testing Inspection, Prints (Drawings), Testing, Sampling and Related Topics 11
N EN 813, EN 12277, EN 1497 - Testing some harness prototypes to an EN standard Various Other Specifications, Standards, and related Requirements 0
S What should i choose for "testing procedure" characteristics? (N95) General Information Resources 0
D Essential performance and EMC immunity testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
J Biocompatbility testing on Class 1 device requirements Other US Medical Device Regulations 12
Q Summative Usability Evaluation Testing: prior or during Clinical Investigation? Human Factors and Ergonomics in Engineering 10
B NIOSH Approval for Surgical N95 Respirators - Required testing US Food and Drug Administration (FDA) 2
M ECG lead leakage currents - How to specify ECG leads during electrical safety testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
C Stress / Challenge Conditions for Design Verification Testing to Reduce Sample Size 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 11
D CFR Title 14: Aeronautics and Space PART 120—DRUG AND ALCOHOL TESTING PROGRAM Federal Aviation Administration (FAA) Standards and Requirements 3
lanley liao Purchase Acceptance Criteria - Tensile testing Oil and Gas Industry Standards and Regulations 2
M Device mounted at IV pole - what about mechanical stability testing? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A Outsourcing IEC 60601-1 Ed 3.2 Testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
J Cochlear Implant Testing 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
A Class I (exempt) testing requirements Other Medical Device Related Standards 1
JoCam Electrical Testing for Japan, PSE or CB Scheme Other Medical Device Regulations World-Wide 0
M Who are the go to companies for non-destructive hardness testing? General Measurement Device and Calibration Topics 3
M Determining if an Insulin Pen Testing Machine is a Medical Device? EU Medical Device Regulations 4
I IATF Lab Scope Testing Qualification and Competency Documentation IATF 16949 - Automotive Quality Systems Standard 3
N Chemical Testing on Medical Devices - Solutions in a container closure system (bag) EU Medical Device Regulations 1
M Comparing data from destructive testing Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
T Flammability testing Reliability Analysis - Predictions, Testing and Standards 0
E Manufacturers should develop a testing device for covid19 Service Industry Specific Topics 0
K When is Bioburden Testing Required? Other Medical Device Related Standards 8
K IEC 62304 - Testing Independance IEC 62304 - Medical Device Software Life Cycle Processes 5
A ANSI/AAMI versions of 60601-1-2 and related testing requirements Other Medical Device Related Standards 3
C Surgical mask stability testing (CE mark) EU Medical Device Regulations 2
Beliz Biocompatibility Testing for Laser Epilation Device EU Medical Device Regulations 2
C One Time Service Supplier - Temperature and Humidity Testing Service ISO 13485:2016 - Medical Device Quality Management Systems 5
D IEC 60601-1 - Service life testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
P Flammability Testing of Aircraft Interior Materials Federal Aviation Administration (FAA) Standards and Requirements 0

Similar threads

Top Bottom