Contains Nonbinding Recommendations
11
information in these sections do not represent a complete SPDF. For more information on
SPDFs, see earlier in Section V. In addition, FDA does not recommend that manufacturers
discontinue existing, effective processes.
A. Security Risk Management
To fully account for cybersecurity risks in medical device systems, the safety and security risks
of each device should be assessed within the context of the larger system in which the device
operates. In the context of cybersecurity, security risk management processes are critical
because, given the evolving nature of cybersecurity threats and risks, no device is, or can be,
completely secure. Security risk management should be an integrated part of a manufacturer’s
entire quality system, addressed throughout the TPLC.
32
The quality system processes entail the
technical, personnel, and management practices, among others, that manufacturers use to manage
potential risks to their devices and ensure that their devices are, and once on the market, remain,
safe and effective, which includes security.
Performing security risk management is distinct from performing safety risk management as
described in ISO 14971. The distinction in the performance of these processes is due to the fact
that in the security context versus the safety context, the scope of possible harm and the risk
assessment factors may be different. Also, while safety risk management focuses on physical
injury, damage to property or the environment, or delay and/or denial of care due to device or
system unavailability, security risk management may include risks that can result in indirect or
direct patient harm. Additionally, risks that are outside of FDA’s assessment of safety and
effectiveness, such as those related to business or reputational risks, may also exist.
The scope and objective of a security risk management process, in conjunction with other SPDF
processes (e.g., security testing), is to expose how threats, through vulnerabilities, can manifest
patient harm and other potential risks. These processes should also ensure that risk control
measures for one type of risk assessment do not inadvertently introduce new risks in the other.
For example, AAMI TIR57 details how the security and safety risk management processes
should interface to ensure all risks are adequately assessed.
33
FDA recommends that security risk
management processes, as detailed in the QS regulation,
34
be established or incorporated into
those that already exist, and should address the manufacturer’s design, manufacturing, and
distribution processes, as well as updates across the TPLC. The processes in the QS regulation
which may be relevant in this context include, but are not limited to design controls (21 CFR
820.30), validation of production processes (21 CFR 820.70), and corrective and preventive
actions (21 CFR 820.100) to ensure both safety and security risks are adequately addressed. For
completeness in performing risk analyses under 21 CFR 820.30(g), FDA recommends that
device manufacturers conduct both a safety risk assessment and a separate, accompanying
security risk assessment to ensure a more comprehensive identification and management of
patient safety risks.
32
The TPLC processes include design and development, manufacturing, postmarket monitoring, delivering device
software and firmware updates, and servicing, among others.
33
AAMI TIR57 Principles for medical device security—Risk management describes the security risk management
process and how the security risk management process should have links into the safety risk management process
and vice versa.
34
21 CFR 820.