“A safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of sufficient controls that were designed in by a device manufacturer, and that provides supplementary or comparable cyber protection for a medical device.”
“Present when there is sufficiently low (acceptable) residual risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability.”
“Updates or patches to a device to increase device security and/or remediate vulnerabilities associated with controlled risk and not to reduce a risk to health or correct a violation of the FD&C Act.”
“Any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device.”
This concept was developed for the purpose of this guidance and means “performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer.”
“An instance where a vulnerability or vulnerabilities have been exercised (accidentally or intentionally) and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system.”
“Any action(s) taken to reduce the risk to the medical device’s essential clinical performance to an acceptable level. Remediation actions may include complete solutions to remove a cybersecurity vulnerability from a medical device (sometimes known as official fix) or compensating controls that adequately mitigate the risk (e.g., notification to customer base and user community identifying a temporary fix, or work-around).”
“Any circumstance or event with the potential to adversely impact the essential clinical performance of the device, organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.”
“A methodology for optimizing Network/Application/Internet Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. For medical devices, threat modeling can be used to optimize mitigations by identifying vulnerabilities and threats to a particular product, products in a product line, or from the organization’s supply chain that can adversely affect patient safety.”
“Present when there is unacceptable residual risk that the device’s essential clinical performance could be compromised due to insufficient compensating controls and risk mitigations.”
“A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat.”
January 20, 2016
On Thursday, September 13th, FDA published a proposed rule which would amend the current premarket submission requirements for medical devices. Background In July 2012, the Food and Drug...
January 20, 2016
Recently, FDA published a guidance (entitled “Design and Analysis of Shedding Studies for Virus or Bacteria-Based Gene Therapy and Oncolytic Products”) providing sponsors with recommendations on how...
January 20, 2016
FDA released proposed regulation that would allow sponsors to determine if their product is a drug/device, or if it is not a drug/device. Last week, the Agency announced a proposed rule “to provide...