00108 Cybersecurity in Medical Devices- Security Assessment of Unresolved Anomalies
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
- Security Assessment of Unresolved Anomalies
493
FDA’s Premarket Software Guidance, recommends that device manufacturers provide a list of494
software anomalies (e.g., bugs or defects) that exist in a product at the time of submission. For495
each of these anomalies, FDA recommends that device manufacturers conduct an assessment of496
the anomaly’s impact on safety and effectiveness, and consult the Premarket Software Guidance497
to assess the associated documentation recommended for inclusion in such device’s premarket498
submission.499
500
Some anomalies discovered during development or testing may have security implications and501
may also be considered vulnerabilities. As a part of ensuring a complete security risk assessment502
under 21 CFR Part 820.30(g), the assessment for impacts to safety and effectiveness may include503
an assessment for the potential security impacts of anomalies. The assessment should also504
include consideration of any present Common Weakness Enumeration (CWE) categories.35
505
For example, a clinical user may inadvertently reveal the presence of a previously unknown506
software anomaly during normal use, where the impact of the anomaly might occur sporadically507
and be assessed to be acceptable from a software risk perspective. Conversely, a threat might508
seek out these types of anomalies, and identify means to exploit them in order to manifest the509
anomaly’s impact continuously, which could significantly impact the acceptability of the risk510
when compared to an anomaly assessment that didn’t include security considerations.511
512
The criteria and rationales for addressing the resulting anomalies with security impacts should be513
provided as part of the security risk assessment documentation in the premarket submission.
Recent Comments