Cybersecurity Services

Some say medical device software cybersecurity concerns grew out of a case of “Art Imitates Life.”  There probably was some correlation to FDA coming out with its first Cybersecurity Guidance for Medical Devices around the same time as a popular ` fictional dramatic series episode depicted the Vice President’s pacemaker hacked and shut off via a double agent’s phone with the correct code.  (It wasn’t even a smartphone.)  Keeping network and or USB connected medical devices vigilant of and resistant to cybersecurity threats is necessary to protect patients, patient data, and reduce regulatory risks. Failure to address cybersecurity submission expectations can lead to approval and or clearance delays. That is the reason when CRO Group assists in medical device software/SaMD/Digital Health consulting services, we are happy to offer device cybersecurity.

USA FDA

As part of SDLC and Premarket Submissions, CRO Group routinely performs documented cybersecurity assessments based on FDA Premarket Guidance which also follows NIST Cybersecurity Framework (CSF). CRO Group’s cybersecurity assessment identifies at both the product and SDLC process level if any gaps exist vs the FDA Guidance. Each identified gap is added to the applicable Risk Analysis along with mitigation/risk controls, and a verification/test sequence to the Trace Matrix.  In addition, as part of the SDLC Software Maintenance and QMS CAPA process, CRO Group revisits the assessment using the FDA Post Market Guidance.   As part of the Post Market Assessment, CRO Group reviews if previously identified  pre and post mitigation Cyber risks were graded properly, and if any new risks need to be added.  For example, if the developer is aware of new SQL Server hacks which were not known at the time of the initial Digital Health app release, these are integrated into the SDLC process.

EU Technical File/Design Dossier CE Mark

While there’s no difference in the Pre or Post Market Cybersecurity Assessment, as part of EN 62304/SDLC,  ISO 14971 Risk Management and EU MDVR / Post Market Surveillance processes, CRO Group updates impacted documentation (ex. EU Technical File/Design Dossier, Risk Management Report,) and tees up Vigilance and Post Market Surveillance reports when applicable.     CRO Group is also aware of Competent Authorities and or Notified Bodies who expect connected device manufacturers and SaMD/Digital Health app developers to follow FDA Guidance while awaiting that from IMDRF, and are interested during product reassessments or substantial change technical filings in how connected devices and SaMD counter newly identified threats – for example, if Advisory Notices or other Corrections are needed.  CRO Group consultants often act as the “Software Regulatory Manager” with Notified Bodies and or Competent Authorities who have issued queries in response to newly identified threats.