CYBERSECURITY IN MEDICAL DEVICES

Checklist for Cybersecurity

Documentation
01 | Checklist for Cybersecurity Documentation

Heightened Cybersecurity Compliance Now The latest guidance has nearly doubled in size from the previous version
and includes a suite of standards, processes, plans, analyses, and
Required for New Medical Devices reports. This document endeavors to itemize them and demonstrate the
relationship between them.

New federal regulation applied in March 2023 as part of the PATCH Act
(Protecting and Transforming Cyber Health Care) mandates elevated
levels of cybersecurity compliance for new medical devices. The
mandate applies to medical devices that have software or that are
designed to be connected to the internet.
The regulations are based on the FDA's guidance from April 2022 entitled
Cybersecurity in Medical Devices: Quality System Considerations and
Content of Premarket Submissions, which represents the third attempt
at crafting guidance to keep up with the rapidly evolving cyber-threats
that result in ransomware and stolen consumer data. The FDA has been
granted new authority to regulate cybersecurity in these medical
devices and has been rapidly evolving guidance to this effect.
Broadly speaking, the FDA's expectations have expanded to consider the
life cycle of cybersecurity design, urging manufacturers to implement
processes before, during and after the development process.
The common strategy of "air-gapping" the device (eliminating network
connectivity) in an attempt to avoid cybersecurity requirements is no
longer a viable approach. Per the PATCH Act, if the device includes
software/firmware it is considered a cyber-device and needs to comply
with the new guidance.
Further, some of the requirements extend to the RTA (Refuse to Accept)
phase of the submission process, meaning the FDA won't even consider
applications that don't include the initial planning elements. This
criterion is effective as of October 2023.

As medical devices grow increasingly connected, so too does the risk posed by
cybersecurity breaches – risk that could impact patient safety. The FDA’s
guidance on cybersecurity is intended to ensure the safety and performance of
medical devices without hindering innovation.
02 | Checklist for Cybersecurity Documentation
FDA Guidance
For the uninitiated, it is worth focusing on some of the macro messages
from the guidance.
O1.
Cybersecurity is now an intrinsic part of device safety and the
application of Quality System controls.
02.
The product should be designed around security which involves
applications of authorization, device availability, information
confidentiality and secure software updates.
03.
The device manufacturer must be transparent with customers
about how to use the product in their environment without
creating vulnerabilities, the extent of all communication
interfaces, and the extent and implications of any detected
vulnerabilities.
04.
Manufacturers need to adopt a Secure Product Development
Framework (SPDF), which defines the stages of the security
development process and mirrors the software life cycle process
contained in IEC 62304.
Supporting Standards
It is worth noting that while the FDA's guidance describes a spectrum of
expectations for manufacturers, many of the details and specifics of
how to meet those expectations are contained in standards and reports
outside of the guidance. To name a few:
- IEC 62443 4-1
Security for industrial automation and control systems — Part 4-1: Secure
Product Development Life Cycle Requirements. Called out in the FDA
guidance.
- IEC 81001 5-1
Health software and health IT systems safety, effectiveness and security —
Part 5-1: Security — Activities in the Product Life Cycle. This is similar to IEC
62443 4-1, but directed at health software rather than industrial
automation.
- AAMI TIR57 - 2016
Principles for medical device security — risk management
- UL 2900
Software cybersecurity for network-connectable products
Note that these standards sit atop foundational standards that also
inform details and expectations of application. For instance:
- 21 CFR 820.30
Federal Regulations, Quality System Regulation
- IEC 14971
Medical devices — application of risk management to medical
devices
- IEC 62304
Medical device software — software life cycle processes
www.ics.com/medical
By 2028, the global Internet of Medical Things (IoMT) market is expected to reach $187.60
billion, up from $41.17 billion in 2020. According to a 2022 report, 53% of digital medical
devices and other internet-connected products used in hospitals had known critical
vulnerabilities caused by issues including unpatched and outdated software.

– Fortune Business Insights and FBI

www.ics.com/medical
04 | Checklist for Cybersecurity Documentation

Understanding the Documents and Relationships

Central to satisfying the FDA's guidance are the documents that convey the procedures and plans, and reports that demonstrate fulfillment of the
regulations. The names and relationships of the documentation can be confusing but the processes are fairly sensible — even somewhat familiar, with
plans preceding analysis, followed by design, then testing, and finally a report. While the specific documents can be more involved, this flow from plans
to reports is repeated throughout.

www.ics.com/medical
The new cybersecurity requirements do not apply to a submission to the
FDA before March 29, 2023. However, if a cyber device was previously
authorized and the manufacturer is now making a change to the device
that requires premarket review by the agency, the law applies to the
new premarket submission.

– U.S. Food and Drug Administration

06 | Checklist for Cybersecurity Documentation

Example of Security Documentation

Because the expectations for cybersecurity in medical devices are scattered across multiple resources (some of which overlap or use inconsistent
terminology), it can be very useful to have a checklist of documents or artifacts that a manufacturer can use as a baseline throughout the product life
cycle. The figure below depicts one such set of documents composed from the 2022 FDA guidance, IEC 81001 5-1 and TIR 57 and where it might fit in a
product file.
Checklist for Medical Device Cybersecurity Documentation
Here the content of each document or folder is described in greater detail. Collectively these provide a specific implementation of the
requirements expressed in the FDA 2022 guidance. Think of this as a checklist of artifacts to create and manage in the corresponding file.

SECURITY RISK MANAGEMENT FILE

Security Risk System Description: Description of the device,
intended use, security operating environment, reasonably
foreseeable misuse, qualitative and quantitative characteristics of
the system that could affect the security of the medical device.
Security Risk Management Plan: Central document that lays out
all intended activities for identifying and mitigating security risks,
including plans for a security risk assessment and mitigating
controls.
Security Risk Assessment: Risk analysis, boundaries of
assessment threat modeling, scoring system, risk model, and
analysis approach (asset, threat, vulnerability).
Threat Model: This is a diagrammatic approach to representing
the attack surface in a system, and systematically compiling
threats identified in the model.
Asset List: This list encompasses every element in the system
that could be co-opted or exploited.
Security Architecture: A documented network architecture with
supporting architecture views: Global System View, Multi-patient
Harm View, Updatability View, Security Use Case Views.
Security Risk Test Plan: All forms of anticipated testing, including
security requirements testing, threat mitigation testing,
vulnerability testing and penetration testing.
Vulnerability Management Plan: A plan for how device
manufacturers will identify and communicate vulnerabilities
discovered throughout the product life cycle. The plan should
specify: personnel responsible for executing the plan, frequency
of monitoring for threats, timeline for remediation, update
processes, and Coordinated Vulnerability Disclosure (CVD).
Customer Transparency Plan: Communicates relevant security
information about the device to its users. This is typically
conveyed as product labeling but contains information about the
cybersecurity characteristics in the intended use environment. It
also contains a spectrum of information from Software Bill of
Materials (SBOM) to decommissioning information. See section
VI.A in the FDA guidance for detailed information.

www.ics.com/medical
08 | Checklist for Cybersecurity Documentation
POST-PRODUCTION INFORMATION FILE
CVE Assessment: CVE stands for Common Vulnerabilities and
Exposures, a glossary that classifies vulnerabilities. The
assessment encompasses routine monitoring of published
vulnerabilities for components included in SBOM, as well as
triaging and risk assessment of impact to device.
Field Monitoring: Assessment of cybersecurity complaints and
other relevant cybersecurity data concerning installed devices.
Cybersecurity Metrics: Capturing and tracking key cybersecurity
performance indicators, such as length of time to patch
cybersecurity issues, and frequency and severity of issues for
SBOM components.
Incident Reporting: Execution of transparency plan, including
customer notifications and reporting of newly discovered
vulnerabilities to searchable databases.
Security Risk Management Report: Summary of evaluation,
assessment, mitigation activities, and trace to Verification and
Validation reports. This report points to all the planning
documents. It provides a comprehensive summary for risk
management, in particular, that the residual risk is acceptable and
that post-production methods are in place. This report should be
updated at least annually.
SBOM: This is a comprehensive list of all software included in the
product, and must be compiled and submitted with any pre-market
submission. Many third-party tools exist to help compile such a list
from the product’s source code and software binaries.
DESIGN HISTORY FILE
Security Requirements: Requirements derive top-level control
categories, which can be found in Appendix 1 of the 2022
guidance. Requirements are principally control mitigations from
the risk analysis.
Security Specifications: These specifications implement the
Security Requirements and trace to specific implementations of
the requirement.
Code Analysis: Source Code Analysis and Binary Code Analysis
leads to creation of the SBOM.
VERIFICATION & VALIDATION
Security Testing Results: A summary of results from all forms of
testing related to security, including security requirement testing,
threat mitigation testing, vulnerability testing, and penetration
testing.
IMPORTANT NOTE
No list of documentation can be said to be definitive. While the
collection described here may not represent an exhaustive approach, it
does cover the key requirements described in the 2022 guidance and
the FDA's Refuse to Accept (RTA) checklist. The FDA uses this tool to
determine whether a 510(k) submission includes all required information
and may be accepted for a substantive review.
www.ics.com/medical
Summary
The FDA's 2022 cybersecurity guidance is comprehensive and
strongly emphasizes the importance of early-stage integration of
security measures during medical device development and the
necessity of post-market vigilance.
However, the actual implementation of this guidance presents
challenges for manufacturers, as the specifics need to be drawn
from several standards and reports with overlapping but subtly
different content. A representative and coherent set of
documentation has been presented that meets the main set of
requirements, but a selective approach is still warranted to size
this to a specific product and achieve the best balance of effort
and value.

All new medical device applicants must

create a process that provides “reasonable
assurance” that the device in question is
protected. Medical device cybersecurity is
now front and center – no longer an
afterthought in the development process.

www.ics.com/medical
 Developing a Medical Device?
For assistance complying with the FDA’s guidance on medical device
cybersecurity, reach out to our experienced regulatory team.
617.621.0060

ICS’ device cybersecurity experts can help you safeguard your medical device and streamline compliance with FDA guidance. We offer:

▪ Gap analysis for FDA’s April 2022 guidance ▪ Secure Product Development Framework (SPDF) compliance
▪ Threat modeling assessments ▪ Manufacturer’s Disclosure Statement for Medical Device
▪ Monitoring & annual cybersecurity report Security (MDS)
▪ Software Bill of Materials (SBOM) generation ▪ Static analysis compliance & report
▪ Submission or pre-submission documentation ▪ UL 2900 assessment

Custom software development

Beyond cybersecurity, we also offer full product
UX/UI & human factors
realization for medical devices, in vitro diagnostics,
scientific software and SaMD. Call us for expert Regulatory services
consulting in the following areas: Product testing
Cloud connectivity

Integrated Computer Solutions, Inc. (ICS) | 230 Second Avenue. Waltham, MA 02451 | 617.621.0060 | www.ics.com/medical
©2023 Integrated Computer Solutions, Inc. All trademarks and registered trademarks are the property of their respective owners | ICS Terms of Service (www.ics.com/tos)
091823
 www.ics.com/medical

230 Second Avenue | Waltham, MA 02451 | 617.621.0060