By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
AcceptDenyPreferences
Privacy

Frequently Asked Questions

What information should be included in the risk management documentation in regards to cybersecurity risks?

No items found.
No items found.
No items found.

The following information should be included:

  • A system level threat model that includes a consideration of system level risks, including but not limited to risks related to the supply chain (e.g., to ensure the device remains free of malware), design, production, and deployment (i.e., into a connected/networked environment).  
  • A specific list of all cybersecurity risks that were considered in the design of your device. It is recommended to provide descriptions of risk that leverage an analysis of exploitability to describe likelihood instead of probability. If numerical probabilities are provided, it is recommended to provide additional information that explains how the probability was calculated.
  • A specific list and justification for all cybersecurity controls that were established for your device. This should include all risk mitigations and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:
    -    A list of verifiable function/subsystem requirements related to access control, encryption/decryption, firewalls, intrusion detection/prevention, antivirus packages, etc.
    -    A list of verifiable of security requirements impacting other functionality, data, and interface requirements
  • A description of the testing that was done to ensure the adequacy of cybersecurity risk controls (e.g., security effectiveness in enforcing the specified security policy, performance for required traffic conditions, stability and reliability as appropriate). Test reports should include:
    -    Testing of device performance
    -    Evidence of security effectiveness of third-party OTS software in the system
    -    Static and dynamic code analysis including testing for credentials that are “hardcoded”, default, easily-guessed, and easily compromised
    -    Vulnerability scanning
    -    Robustness testing
    -    Boundary analysis
    -    Penetration testing
    -    Third Part test reports
  • A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered in your security risk and hazard analysis.
  • A CBOM cross referenced with the National Vulnerability Database (NVD) or similar known vulnerability database. Provide criteria for addressing known vulnerabilities and a rationale for not addressing remaining known vulnerabilities, consistent with the FDA’s final guidance, Postmarket Management of Cybersecurity in Medical Devices.

Related FAQs:
See More FAQs
Proxima Newsletter
Rants, raves and observations.
Occasionally an opinion or fact.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Expertise
MedTech
Biotech
Resources
Resource Hub
Insights
Video Hub
Company
About
People
Careers
Company Updates
Privacy Policy
Connect
2450 Holcombe Blvd.
Houston, TX 77021
Hello@ProximaCRO.com
+1.774.473.9524
Proxima Clinical Research, Inc. (aka Proxima CRO) is a registered Delaware C Corp, headquartered in Houston, TX
© Copyright 2024 Proxima Clinical Research, Inc. All Rights Reserved.
No items found.
No items found.
No items found.