Medical Device Cybersecurity Draft Guidance Explainer Series Part 3 – Cybersecurity Testing 

In the past few weeks, Nova Leah has been putting together an explainer series where we take a closer look at a few key sections outlined in the FDA’s new draft guidance ‘Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions’.

The draft guidance was released in April 2022 and represents a significant step towards ensuring greater medical device security and patient safety. In terms of managing cybersecurity risks, the new draft guidance is broken into three key sections – Security Risk Management, Security Architecture and Cybersecurity Testing.

If this is your first time checking out this series, we’ve provided some links to get you up to speed.  

                          1. FDA Publishes Draft Guidance on Medical Device Cybersecurity (Pre-Market) – We introduce the latest draft guidance and its evolution over the past decade. 
                          2. Medical Device Cybersecurity Draft Guidance Explainer Series Part 1– Security Risk Management – We take a deep dive into the first key section, security risk management. We introduce some of the recommended security risk management protocols and what they mean to medical device manufacturers. 
                          3. Medical Device Cybersecurity Draft Guidance Explainer Series Part 2 of 3 – Security Architecture  – We look at security architecture, which is a set of security principles, methods and models that are designed to keep your organization, medical devices and, ultimately, your patients safe.  

In the final section of this explainer series, we are taking a closer look at part C of the draft guidance document, which relates to cybersecurity testing. 

Cybersecurity Testing and IMDRF 

“As with other areas of product development, testing is used to demonstrate the effectiveness of design controls. While software development and cybersecurity are closely related disciplines, cybersecurity controls require testing beyond standard software verification and validation activities to demonstrate the effectiveness of the controls in a proper security context to therefore demonstrate that the device has a reasonable assurance of safety and effectiveness.” 
Extract from new draft guidance document 

Cybersecurity testing is a process of measuring how effective your cybersecurity strategy is against potential attack. Common types of cybersecurity testing include penetration testing and vulnerability scanning. In its 2020 document ‘Principles and Practices for Medical Device Cybersecurity’, the International Medical Device Regulators Forum (IMDRF) provided some high-level considerations for medical device manufacturers 

                      • Perform target searches on software components/modules for known vulnerabilities or software weakness also during development. For example, periodic security testing can include: static code analysis, dynamic analysis, robustness testing, vulnerability scanning, or software composition analysis. 
                      • Conduct technical security analyses (e.g., penetration testing). These include efforts to identify unknown vulnerabilities through fuzz testing, for example; or checks for alternative entry points, e.g., by reading hidden files, configuration, data streams or hardware registers. 
                      • Complete a vulnerability assessment. This includes an impact analysis of the vulnerability on other in-house products (i.e., variant analysis), the identification of countermeasures, and the remediation or mitigation of vulnerability.  


Cybersecurity Testing Recommendations in the New Draft Guidance 


The new draft guidance – Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions is a 49-page document which, when finalized, will supersede the 9-page document that is currently in effect. Of those forty-nine pages, the two sections we previously examined (security risk management and security architecture) take up thirteen pages between them while cybersecurity testing takes up a mere two. This says more about the complexity of the two former sections than the lack of importance placed on the latter.  

Security testing is mentioned throughout the draft guidance document in relation to SBOMs, security risk management, the implementation of security controls, cybersecurity transparency, and vulnerability management.

Within the section on cybersecurity testing, FDA states that manufacturers must establish and maintain procedures for verifying the device design and validating the device design. It is also recommended that security testing documentation and any associated reports or assessments should be submitted in the premarket submission.  

Four Types of Cybersecurity Testing

In terms of cybersecurity testing, FDA recommends that the following types of testing be provided in a premarket submission. It is also recommended that all tests are provided with the date they were performed and the level of independence involved in the testing itself. As you may notice, these recommendations closely align with advice given from the IMDRF.  

1. Security requirements 

                        • Manufacturers should provide evidence that each design input requirement was implemented successfully. 
                        • Manufacturers should provide evidence of their boundary analysis and rationale for their boundary assumptions.

2. Threat mitigation 

                      • Manufacturers should provide details and evidence of testing that demonstrates effective risk control measures according to the threat models provided in the system, use case, and call-flow views. 
                      • Manufacturers should ensure the adequacy of each cybersecurity risk control (e.g., security effectiveness in enforcing the specified security policy, performance for maximum traffic conditions, stability and reliability, as appropriate).  

3. Vulnerability testing

Vulnerability testing is the process of evaluating security risks in software systems to reduce the likelihood of those threats occurring. Within the draft guidance it is suggested that medical device manufacturers should provide details and evidence of various testing strategies including those that pertain to:

                      • Abuse case, malformed, and unexpected inputs, 
                      • Attack surface analysis, 
                      • Vulnerability chaining, 
                      • Closed box testing of known vulnerability scanning, 
                      • Software composition analysis of binary executable files, 
                      • Static and dynamic code analysis.

4. Penetration testing

Penetration testing is a systematic approach to cybersecurity testing which involves simulating an attack against your system in order to unearth vulnerabilities in your networks and applications.  

When performing penetration tests, the FDA recommends providing the following details in test reports: 

                      • Independence and technical expertise of testers, 
                      • Scope of testing, 
                      • Duration of testing, 
                      • Testing methods employed, and 
                    • Test results, findings, and observations.

The Medical Device Draft Guidance and SelectEvidence® 

 

Within the draft guidance document, the FDA recommends that cybersecurity testing should be carried out through the product life cycle. It should be carried out in the early development stages to ensure that security issues are addressed in a time-efficient manner so that products do not need to be redesigned at a late stage or recalled. After release, cybersecurity testing should be performed at regular intervals to ensure that potential vulnerabilities are identified before it’s too late. 

This idea of repeatedly and continuously monitoring vulnerabilities is something that aligns closely with SelectEvidence®. Nova Leah’s expert cybersecurity risk assessment platform guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks. SelectEvidence® continually monitors SBOMs across all connected medical devices and scans for vulnerabilities in real time.  

Organize a free demo today and one of our team can walk you through the various components of SelectEvidence® and how they relate to the recommendations outlined in this explainer series.

Cybersecurity Draft Guidance Series Review

Introduction – FDA Publishes Draft Guidance on Medical Device Cybersecurity (Pre-Market) 

Explainer Series Part 1 of 3 – Medical Device Cybersecurity Draft Guidance Explainer Series – Security Risk Management

Explainer Series Part 2 of 3 – Medical Device Cybersecurity Draft Guidance Explainer Series – Security Architecture 

Explainer Series Part 3 of 3 – Medical Device Cybersecurity Draft Guidance Explainer Series – Cybersecurity Testing 

Cybersecurity Draft Guidance – Read the new draft guidance in full.