Cybersecurity - Part 5 Templates
Hi there! Long time no see once again. I dig up our series of posts on cybersecurity.
In this post I publish two new templates for cybersecurity risk management.
The list of standards and guidances dealing with cybersecurity in medical devices has evolved a lot for the last two years:
- At first we had the FDA guidances on cybersecurity published in 2014-2016,
- Then AAMI TIR 57 was released in 2016, it describes a security risk management process comparable to the safety risk management process of ISO 14971,
- And in 2017, ANSI/UL 2900-1, and ANSI/UL 2900-2-x were released, they list requirements (sometimes very specific) to design and maintain a secure medical device.
Note that a traceability exists between UL 2900-x standards and FDA guidances on cybersecurity. I think though, it's unofficial, I let you find it on the web.
All these guidances and standards represent a good source of information to implement a cybersecurity risk management process. However, if we extend the scope to other industries, the risk management process described in ISO 27005 is also a good start.
This is the approach I had in the past few years, begin with ISO 27005 process and add specific medical devices provisions based on recommendations from AAMI TIR 57 and requirements from ISO 14971.
This risk management process is then fed with guidances found in informative part of ISO 27005, AAMI TIR 57, as well as provisions found in UL 2900-x.
The two templates are based on this approach:
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 France License.