The US Food and Drug Administration (FDA) has recognized three new standards related to software security on medical devices. The standards address taking a total product lifecycle (TPLC) approach to medical device cybersecurity, data logging software use, and reasonable software testing.
The Center for Devices and Radiological Health (CDRH) announced on 6 November that it had recognized three consensus standards in the past month that may be used by sponsors of digital health products to give reviewers confidence in the product’s security. Over the past several years, the agency has published and updated a number of guidances on medical device software cybersecurity and promoted the use of internationally recognized standards.
Two of the standards recognized by FDA over the past month are from the American National Standards Institute (ANSI) and the Association for the Advancement of Medical Instrumentation (AAMI).
The first standard, ANSI/AAMI 2700-2-1, is part of a list of standards meant to track the safe use of medical device software in integrated clinical environments (ICE), according to ANSI. The standard is more specifically used to ensure data loggers used in ICE systems are properly able to collect information that can be used to improve and update the system.
“It is intended for use by medical device and platform manufacturers and system integrators,” the standards group says. “It provides requirements for the recording, storage, and playback of data to support safety, quality assurance, and forensic analysis for medical devices, applications, and platforms.”
FDA echoed ANSI’s comments and said that the standard addresses general functional, performance, security, and interoperability requirements used in data logging systems used in ICE environments. The agency added that data loggers are important to maintaining and improving basic safety and performance in ICE systems by allowing stakeholders to run forensic analyses.
The second standard is the ANSI AAMI SW96:2023, which sets requirements on how to perform security risk management of medical devices.
The standard details requirements and guidance for sponsors to take a TPLC approach to managing medical devices that include software that may pose cybersecurity risks, according to FDA. More specifically, the agency lists several areas where the standard may help ensure the security of a medical device, including identifying threats and vulnerabilities and determining the appropriate controls that can be put in place to reduce those risks.
“This standard is applicable to the entire life cycle of a medical device, including design, production, and post-production phases,” said FDA. “End of Support (EOS) and End of Guaranteed Support (EOGS) are milestones in the post-production phase of the medical device and may vary according to differing market and jurisdictional factors.”
The third standard, ISO IEC IEEE 29119-1, is from the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers Standards Association (IEEE). ISO noted that it is a set of internationally agreed standards that can be used in a broad range of products that include software.
More specifically, the group stated that it is not practical to do exhaustive software testing in many cases, and the standard details how to conduct proper software testing. It recommends using a sampling method based on the potential risk of the device to understand the potential risks.
“Test plans and test strategies are described in the context of risk-based testing, which is the recommended approach to strategizing and managing testing that underlies the ISO/IEC/IEEE 29119 series and provides the basis for test prioritization and focus,” said ISO. “Test levels, test types and test design techniques (and corresponding measures) are described in the context of their inclusion as part of the test strategy.”
FDA stated that for its purposes, the standard is relevant to medical devices and supports its existing regulatory policies.
To continue reading this article please go to RAPS .