Here are some thoughts from a recent conversation between Sherman Eagles, Brian Pate, and Alan Kusinitz of SoftwareCPR®:
Cybersecurity vulnerabilities can have unpredictable effects on safety. Unpredictable effects … to those who have worked to reduce risks of software failures in medical device software, that phrase may be familiar. That concept is explained in relation to common cause/indirect software failures (as in AAMI TIR-32 and IEC/TR 80002-1). Therefore, it is usually advantageous to identify vulnerabilities (not threats; those are harder for a manufacturer to identify) and apply controls rather than focus on probability estimation. Treat cybersecurity vulnerabilities like common cause software failures while thinking about realistic scenarios and simple mitigation, the evaluating of the mitigations seems sufficient – given the overall risk of the device based on its intended use, and the role of the potentially affected software in the device is generally a useful approach.