The US Food and Drug Administration (FDA) has acknowledged three new standards concerning the security of software on medical devices. These three standards advocate a comprehensive approach throughout the total product lifecycle (TPLC) for ensuring medical device cybersecurity, regulating the use of data logging software, and implementing reasonable software testing.
The Center for Devices and Radiological Health (CDRH) disclosed on November 6 that in the last month itself they endorsed three consensus standards, empowering sponsors of digital health products to instill confidence in the security of their products among reviewers.
In recent years, the FDA has issued and revised several different guidelines on the cybersecurity of medical device software, actively promoting the adoption of globally recognized standards.
Two of these acknowledged standards, within the last month, originate from the American National Standards Institute (ANSI) and the Association for the Advancement of Medical Instrumentation (AAMI).
The first standard, ANSI/AAMI 2700-2-1, is part of a series of standards designed to oversee the secure utilization of medical device software in integrated clinical environments (ICE), particularly focusing on ensuring that data loggers used in ICE systems are adept at collecting information for system enhancement.
Targeted at medical device and platform manufacturers, as well as system integrators, ANSI’s standard outlines requirements for recording, storing, and playing back data to facilitate safety, quality assurance, and forensic analysis for medical devices, applications, and platforms. The FDA concurred with ANSI, emphasizing that the standard addresses general functional, performance, security, and interoperability requisites for data logging systems in ICE environments.
The second recognized standard, ANSI AAMI SW96:2023, establishes requirements for conducting security risk management of medical devices. The FDA highlighted that this standard guides sponsors in adopting a TPLC approach for managing medical devices, incorporating software that may pose cybersecurity risks. It outlines key areas for ensuring device security, such as identifying threats, assessing vulnerabilities, and determining appropriate controls throughout the device’s lifecycle.
The third standard, ISO IEC IEEE 29119-1, hails from the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers Standards Association (IEEE). This set of internationally agreed-upon standards, applicable to a wide range of products including software, addresses the challenge of exhaustive software testing. It recommends a sampling method based on potential risks to comprehend and mitigate potential threats.
ISO specified that the standard’s focus is on test plans and strategies within the context of risk-based testing. This approach, endorsed by ISO/IEC/IEEE 29119, facilitates test prioritization and focus by describing test levels, types, and design techniques. The FDA underscored the relevance of this standard to medical devices, aligning with its existing regulatory policies.