• Home
    Apps 
    Services 
    CareersArticles
    About 

    The FDA Submission Trap

    Why Safety Risk Management Alone Isn’t Enough

    · Medical Devices,CyberSecurity,FDA

    Safety and Security Risk Management

    Historically, speaking about Risk Management in the context of medical devices has been synonimous with with Safety Risk Management, and ensuring alignment and compliance with ISO 14971 has been sufficient to demonstrate an adequate posture towards Risk in the context of the submission of a Medical Device. In fact, relying on the standard has been the primary mechanism of ensuring medical devices do not pose undue harm to patients, users, and interacting stakeholders.

    However, with the increasing technological and connected nature of medical devices, cybersecurity threats emerge as a significant, and overlooked, concern. Due to the nature of these risks, it is not often immediately obvious how cybersecurity can (and will) impact patients, users, and actors involved with a medical device.

    Several high-profile cybersecurity incidents have demonstrated that compromised medical devices can lead to delays in treatment, loss of sensitive patient data, or even direct harm to patients. Given these risks, the FDA emphasizes that manufacturers must consider cybersecurity risks as part of their overall risk management strategy.

    Recognising this reality, the FDA now expects manufacturers to integrate Security Risk Management as a complementary process to Safety Risk Management, explicitly identifying a Security Risk Management Report as component part of submission. Below is the exact text included in the submission form:

    Please attach your security risk management report detailing a separate, parallel, and interconnected security risk management process. This is different from your safety risk management process.

    But what does that mean, practically?

    Let's define each of the terms how they apply to the context of submission, in terms of Risk Management:

    Separate

    Manufacturers are explicitly requested to approach safety and security risk management as entirely separate processes, with distinct sets of documentation and targetted methodologies, with the objective of ensuring both risk processes are complementary.

    The expected separation of the security risk management process shall be manifested by a demonstrably separate and distinct process and methodology which, despite Interconnected (see below), effectively tackles the nature of the referred risks.

    A reviewer or auditor will typically expect to see a different SOP (and WIs, when appropriate), where the nature of the managed risks is reflected in their respective process, occasionally branching outside the immediate scope of the medical device when assets, such as data, are affected by the medical device and that cybersecurity threats are adequately managed throughout the lifecycle of the device.

    Parallel

    A parallel approach means that safety and security risk management are performed simultaneously (yet Sepately), ensuring that each discipline receives appropriate focus and results in effective risk management. This method allows manufacturers to align their security risk assessment with evolving cybersecurity threats while ensuring safety remains a top priority.

    Parallel assessments help create a balanced risk management process where security considerations do not overshadow safety concerns and/or vice-versa. Manufacturers shall ensure that risk control measures for one area do not inadvertently introduce risks in the other, whilst maintaining traceability between both risk management activities.

    Interconnected

    It is entirely expected for manufacturers to integrating safety and security risk management, recognizing their interdependence which involves embedding cybersecurity risk considerations directly into safety risk management frameworks and aligning mitigation strategies across both domains.

    A reviewer or auditor will expect to easily identify and trace safety impact, when existent, deriving for a security risk, which demonstrate a clear, robust, and convincing argument for the device's safety and effectiveness.

    An interconnected approach ensures that cybersecurity vulnerabilities are assessed in the context of their potential impact on patient safety which demonstrates a unified risk management strategy.

    Scope of each within the TPLC

    Let's then delve into each concept and highlight the differences within the context of the lifecycle:

    Safety Risk Management

    Safety Risk Management, directly aligned with ISO 14971, focuses on preventing harm, defined as physical injury or damage to health, resulting from hazardous situations caused by device failures or malfunctions. This approach systematically identifies hazards, assesses associated hazardous situations, and applies risk controls to reduce or eliminate the potential harm to patients (some syntactic sugar here, for further details refer to ISO 14971).

    Security Risk Management

    Security risk management, on the other hand, addresses threats stemming from cybersecurity threats and vulnerabilities. While traditional safety risk assessments consider failures inherent to device operation, security risk assessments must account for external actors who may exploit vulnerabilities and which may lead to both direct and indirect patient harm, such as Denial-of-service attacks, leading to device unavailability and delayed treatment, unauthorised access, resulting in altered device functionality or incorrect treatment administration, and data breaches, compromising patient privacy and leading to regulatory repercussions.

    Unlike safety risk management, which primarily deals with inherent product risks, security risk management must consider evolving external threats, requiring continuous assessment and updates throughout the Total Product Lifecycle (TPLC) - (Consider reviewing https://www.fda.gov/about-fda/cdrh-transparency/total-product-life-cycle-medical-devices ).

    FDA’s Expectations for Security Risk Management in Submissions

    Recognising the limitations of safety risk management alone, the FDA now expects manufacturers to incorporate cybersecurity risk management into their regulatory submissions. The key expectations include:

    Performing a Separate Security Risk Assessment

    Manufacturers must conduct a cybersecurity risk assessment alongside their safety risk assessment which is aimed at identifying potential threats, evaluate vulnerabilities, and implement risk controls to mitigate identified risks.

    Threat Modeling and Vulnerability Assessments

    Threat modeling helps manufacturers anticipate how cyber threats could exploit vulnerabilities and impact device functionality. These must be performed regularly to identify weaknesses in device software, firmware, and third-party components.

    Integration into the TPLC

    An effective Security Risk Management process must govern activities which continuously monitor and update reports and registers throughout the device lifecycle, including regular software updates, security patches, PMS for emerging threats, incident response plans, and others.

    Compensating Controls and Risk Transfer Strategies

    When full risk elimination is not possible, compensating controls (such as network segmentation, encryption, and access controls) must be implemented. In some cases, manufacturers may transfer residual risks to users through appropriate labeling, user training, and security guidelines.

    The Role of Security Risk Management in Design and Interoperability

    Secure Design Controls (21 CFR 820.30)

    Manufacturers must now incorporate cybersecurity considerations into device design controls, ensuring that security features are embedded from the outset rather than added as an afterthought.

    Managing Interoperability Risks

    Interoperable medical devices introduce additional risks, particularly in networked hospital environments. Security risks may arise from unintended device access, where unauthorized users gain control over a device, malfunctions from data corruption, affecting device performance, and failures caused by non-compliance with interoperability standards.

    To mitigate these risks, manufacturers must ensure security features do not degrade essential performance (as determine when aiming for IEC 60601-1 compliance), validate the ability to handle corrupted or unexpected data inputs, and implement secure communication protocols and access restrictions.

    Conclusions

    As medical devices become more interconnected, safety risk management alone is no longer sufficient for FDA submissions.

    The evolving landscape of cybersecurity threats necessitates a proactive and continuous security risk management process to ensure patient safety and regulatory compliance. By integrating cybersecurity considerations into their quality systems, manufacturers can proactively align with FDA expectations, mitigate risks, and enhance the overall security and effectiveness of their devices.

    Can we lend a hand?

    Reach out to us at https://www.qity.be

    PreviousNext
    Cookie Use
    We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
    Accept all
    Settings
    Decline All
    Cookie Settings
    Necessary Cookies
    These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
    Analytics Cookies
    These cookies help us better understand how visitors interact with our website and help us discover errors.
    Preferences Cookies
    These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
    Save