FDA Cybersecurity Testing Requirements - Interview with Red Sentry
HTML-код
- Опубликовано: 14 янв 2025
- In the past, the FDA has required medical devices with wireless functionality to provide two cybersecurity documents in 510(k) submissions:
➤ Risk management summary for cybersecurity
➤ Cybersecurity management plan
In FY 2024 (i.e., next week), the FDA will start requiring cybersecurity testing in 510(k) submissions. The FDA has specifically identified:
➤ Vulnerability Testing
➤ Penetration Testing
The new FDA cybersecurity guidance can be downloaded from this link:
➤ medicaldevicea...
We also have procedures for cybersecurity and software validation:
➤ medicaldevicea...
➤ medicaldevicea...
Many of our clients are struggling to meet this new testing requirement because it requires qualified cybersecurity experts independent from your development team to do the penetration testing. Today we are interviewing Valentina Flores, who is the CEO of Red Sentry. She is going to introduce her company and help us understand how they help companies with this testing.
If you are interested in scoping your pentest project, please use the following link:
➤ redsentry.type...
You can also email Red Sentry directly: hello@redsentry.com
Please type your cybersecurity questions in the comment section below.
Loved the conversations, and the Q&A! Thanks for having us!
Looking forward to a new cybersecurity topic next month. Maybe someone will post a great question in the comments for us to address next month.
Thank you for taking the time to do this interview Valentina. We really appreciate your help.
This webinar was very informative. Looking forward to future ones. Thank you Rob and Red Sentry!
Thank you. We are looking forward to more videos with Red Sentry too.
Thanks for this!
Sure thing!
This was great-thanks for hosting, Rob. I have a question: If penetration testing identifies cybersecurity vulnerabilities in a mobile medical app, is it necessary to conduct and document a complete impact assessment and regression analysis of the software before implementing the cybersecurity fix? After the issue is resolved, would it be required to develop a regression testing report, or is it sufficient to simply fix the cyber vulnerability and document that it was addressed?
Usually you don't want to submit software for pen testing until it is "bug free." So the last thing you are probably going to do is validate the software to make sure your last few bugs are gone. But you don't need an impact assessment and regression analysis before you submit the software for pen testing. After vulnerability testing and pen testing are completed, you will have a new list of things to fix. After you fix the security issues, you should probably repeat your validation again before sending it back for pen testing. This would be the logical time to develop your validation testing report, but you could also do it after the final security testing. Hopefully, the second time the security issues are gone and you don't have to repeat the process a third time.
Thank you for helping us to understand. could you please let me know security control for this
There are 8 security controls that must be included as a minimum. Those are included in the eSTAR and the help Java script window explains each one. The list of 8:
A) Authentication controls:
B) Authorization controls:
C) Cryptography controls:
D) Code, data, and execution integrity controls:
E) Confidentiality controls:
F) Event detection and logging controls:
G) Resiliency and recovery controls:
H) Firmware and software update controls:
any specfice requriement for tester to be certification for testing medical device
Great question. The FDA states that the qualifications of the tester need to be documented, but the requirements do not include specific training in medical devices.