The goal of this publication is to help you in the development of your device with a focus on a very hot topic: Cybersecurity. With the content of this publication, you will be able to understand how Cybersecurity (also called software security) can impact your process of development and the design of your device.

Introduction

For introduction content, refer to the Parts previously published.

Verify efficacy and effectiveness of Risk Control Measures

Security risk control measures shall be verified. Their testing shall be part of the software verification plan of the product according to IEC 62304. While some dedicated tests shall be developed for the security risk control measures specific to your product, others are more standard:

Common Vulnerability testing

Check that all identified common vulnerabilities associated to the use third party components are handled either through the integration of a patch or through the provision of a clear rationales explaining their non-applicability.

Malware testing

Ensure that no malware is embedded in your software, in the third-party components or in the used operating system using malware screening software.

Malformed Input Testing

Every check developed to validate external data must be verified. This includes, but is not limited to:

Verify proper behavior of input files authentication using cryptographic signatures,
Verify that the product is not impacted by malformed inputs (reject data making no sense) which could result in an attempt of hacking,
Verify proper behavior of peer authentication before data exchange,
Verify proper behavior of code impacted by external input(s). Fuzzing tools like American Fuzzy Lop (AFL) may help in this process.

Figure 1. AFL Screenshot

Penetration testing

The best way to verify that all vulnerabilities are correctly fixed is to request a penetration testing lab to confirm that none of them can be exploited.

Structured penetration testing is required by UL 2900-1, section 16. Penetration testing should be run by an independent lab. Such test should be first performed as “Black-box testing”, which means that testers will try to find and exploit vulnerabilities with no (or very little) knowledge of the device. Then, “White-box” testing should be run, where all valuable information (even source code or schematics if necessary) is provided. Also, providing the list of identified CVEs will help the lab confirm that the device does not contain weaknesses.

Security risk management report

A security risk management report shall be generated to summarize the plan followed, the activities performed, and the list of documents generated including a list of the identified threats (from your own device and from third-party components), the associated risk control measures or rationales for their absence, the results of the verification campaign and the instructions for use related to security.

The security risk management plan mentioned in the report must define what are the next expected actions regarding security (improvements and periodic reviews).

It may happen that some of your threats or vulnerabilities verification is not fully successful: this shall be documented within a list of known anomalies. For those remaining anomalies, clear and convincing rationales shall be provided to argue why those anomalies are acceptable for the ongoing software release. If they are not acceptable, those anomalies shall be fixed before releasing the software.

Release & Distribute Update

Once your system is fully verified and validated, the software version can be released and made available for design transfer and manufacturing. If your system is a standalone software, this means that you can generate your installation files based on this software release. However, the efficacy and effectiveness of the installation files must be validated through the verification of the proper behavior of the software installed using these installation files. This can be done using a sub-set of your verification tests: the installation, operational and performance qualification tests.

Once the proper behavior of the installation files verified, you can finalize your technical documentation for submission to authorities and/or inform your users about the availability of security updates for their installed software. The procedure and tools for such software security update shall be already available to your customers.

Debiotech recommends:

Integrating within your system a way to inform your users that a security update is available.
Integrating within your system a way to easily update their product version with the new one.

Market withdrawal and decommissioning

The security risk management plan shall also include actions required when decommissioning a device. Those actions shall ensure that no sensitive data remain accessible to possible technical or customer services after decommissioning of the device.

Regulatory landscape

From a regulatory standpoint, data protection and data privacy are usually treated in the same texts. Data security on its side has its own legislations. The applicable regulations usually depend on the type of data: health-related data are usually associated with stronger requirements in term of privacy and security.

Data protection & privacy:

Europe: GDPR (Europe),
Switzerland: Federal Act on Data Protection,
US: HIPAA and numerous data protection laws enacted on both the federal and state levels.

Data security:

US: HIPAA
International:
- UL-2900
- ISO 27000 Series
- NIST Cybersecurity Framework

Authors

	Rémi Charrier Business Development Director r.charrier@debiotech.com
		João Budzinski R&D Director j.budzinski@debiotech.com
	Laurent Colloud Software Project Manager l.colloud@debiotech.com
		Gilles Forconi Software Quality Manager g.forconi@debiotech.com

Next steps

Debiotech is glad to have the opportunity to share its knowledge with innovative companies from the MedTech industry. Your feedbacks on this publication are welcome and will be used to update it or to create new publications on topics you care about.

Continue your education on medical device development by:

Accessing Debiotech historic publications: https://www.debiotech.com/news-grid/
Following Debiotech on LinkedIn to be notified on new publications: https://www.linkedin.com/company/debiotech-sa
Contacting us to ask a question or request personalized support: contact@debiotech.com

Debiotech would be proud to be your partner and support you with:

Medical device design & development services:
- Software: Digital Health, Firmware, Embedded, SaMD
- Electronics: Design, Verification and Validation
- Mechanics: Design for micro-fabrication & fluidics systems
- Supply chain development and optimization

Support in medical innovation management:
- Market analysis and segmentation
- IP management
- Business plan consolidation
- Partnership development

Download full publication

Back to news

Cookie	Durée	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used for 11 months to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record for 11 months the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used for 11 months to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used for 11 months to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used for 11 months to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store for 11 months whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Durée	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_R2EJS0K4ED	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_221899411_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

How to handle Cybersecurity for your Medical Device? Part 5/5 Verify efficacy and effectiveness of risk control measures

Introduction

Verify efficacy and effectiveness of Risk Control Measures

Common Vulnerability testing

Malware testing

Malformed Input Testing

Penetration testing

Security risk management report

Release & Distribute Update

Market withdrawal and decommissioning

Regulatory landscape

Authors

Next steps

Debiotech SA

How to handle Cybersecurity for your Medical Device? Part 5/5 Verify efficacy and effectiveness of risk control measures

Introduction

Verify efficacy and effectiveness of Risk Control Measures

Common Vulnerability testing

Malware testing

Malformed Input Testing

Penetration testing

Security risk management report

Release & Distribute Update

Market withdrawal and decommissioning

Regulatory landscape

Authors

Next steps

Cookie banner