The Food and Drug Administration (FDA) has recently released new guidance on cybersecurity for medical devices. This presentation will provide an overview of this guidance and review what is required for 510(k) submissions. We will also discuss the upcoming European Union (EU) cybersecurity regulations and how they compare to the FDA guidance.
This webinar with ICS and partner RTI, the largest software framework company for autonomous systems, will focus on threat modeling and cybersecurity risk assessments in light of the new guidance, and how these activities impact design requirements for medical devices. You will learn common pitfalls and mistakes to avoid when establishing organizational best practices in cybersecurity.
We will also discuss the challenges to securing data in motion for connected medical devices and describe how a data-centric software framework based on open standards, addresses the design requirements for highly reliable, scalable and secure systems.
Attendees will gain an understanding of the current regulatory expectations, best practices for cybersecurity risk assessments, and standards-based solutions for secure data connectivity.
2. About ICS
Established in 1987, Integrated Computer Solutions,
Inc. (ICS) delivers innovative software solutions with a
full suite of services to accelerate development of
successful next-gen products.
ICS is headquartered outside Boston in Waltham,
Mass. with offices in California, Canada and Europe.
Currently 160 people.
Boston UX is ICS’ design studio,
specializing in intuitive touchscreen
and multimodal interfaces for
high-impact embedded and connected
devices.
3. Delivering a
Full Suite of
Medtech Services
● Human Factors Engineering
● IEC 62366-UX/UI Design
● Custom Frontend and Backend Software
Development
● Development with IEC 62304-Compliant Platform
● Low-code Tools that Convert UX Prototype to
Product
● Medical Device Cybersecurity
● AWS and Azure Cloud Services and Analytics
● ISO 14971-Compliant Hazard Analysis
● Software Verification Testing
● Complimentary Software Technology Assessment
5. Cybersecurity in Medical Devices - Why?
Business Risks
HIPAA violations : up to $10,000 each patient
GDPR : $10-$20M or 2-4% of revenue
FDA : [Draft] April 2022 Guidance for Premarket submissions
December 2022 Omnibus Appropriations Bill
EU : Harmonizing ISO 81001-5-1 in 2024
6. SDLC (Secure Product Development Lifecycle) QMS
Cybersecurity Architecture Design
Threat Modeling Design
Hazards / Risk Assessment Design
Static Analysis Development
SCA/BCA -> SBOM* Development
Penetration Testing Release Candidate
Labeling Additions User Manual (IFU)
Vulnerability Management Plan* QMS
Periodic Vulnerability Analysis* Post Release
Annual Cybersecurity Report Post Release
Deliverables in FDA’s Latest Guidance
* Included in December 2022 Omnibus Appropriations Bill
7. What about EU? ISO 81001-5-1;2022
SPDF (Secure Product Development Framework) 5.1.1
Cybersecurity Architecture 5.3.1
Threat Modeling 7.2
Risk Assessment 7.4
Static Analysis A.4 (c) Part of secure coding practices
SCA/BCA -> SBOM 5.7.3 (d)
Penetration Testing 5.7.4
Labeling Additions 5.8.2
Vulnerability Management Plan 6.1
Periodic Vulnerability Analysis 4.1.8
Annual Cybersecurity Report 4.1
13. Summary
Complex design exponentially increases the cybersecurity requirements
More potential points of failure = more mitigations = more requirements = more tests
Comprehensive Assessment required
Increasing regulatory requirements
Starting to see specialized cybersecurity legislation (post market / pre-market / IoT)
—-------
Next: How secure connectivity can be used to address these challenges