14
Dec
2018

Good Cyber Hygiene

, ,
0
good cyber hygiene

Certainly everyone with any connection to information technology and networked devices is concerned with cybersecurity. However, often we just miss the basics – we do not practice good cyber hygiene. While not intended to be comprehensive or state-of-the-art, here are some security basics (or as some call it, “cyber hygiene”) that one should consider when developing devices that will be networked.

  1. Use a firewall and periodically maintain its configuration
  2. Change those vendor supplied defaults for usernames, passwords, identifiers, etc.
  3. Encrypt data at-rest and in transport. It’s just too easy to always protect data. Just do it.
  4. Use anti-virus software on development systems, test systems, and other systems that “touch” the product
  5. Install vendor supplied security patches
  6. Limit access to data – de-identify data early in the process.
  7. Obviously, use unique IDs for authentication and add something that is not obvious, e.g., 4 digit number added to first name and last name
  8. Restrict access to physical locations where data is retained
  9. Manage users, both incoming and termination, and monitor activity
  10. Periodically test security layers and re-assess acceptability
  11. Create policy in addition to procedure for security expectations for employees and sub-contractors
  12. Any cybersecurity expectations of our customers/users should be clearly communicated in product labeling

FDA has provided two guidance documents (find them on our Popular Resources page) and there are standards and technical reports that can be helpful as well.  Here are a few that we recommend:

Our partner Sherman Eagles provides periodic updates on standards and technical reports affecting medical device systems and software, and also provides a unique, one-of-a-kind concierge-level mentoring.  See our subscription options to start receiving Sherman’s updates today and engage with Sherman to raise your quality system bar!

About the author

Partner and General Manager, Brian Pate is ISO 1385:2016 Lead Auditor certified for Medical Device Quality Management Systems (MD), and ISO 19011:2018 Management Systems Auditing (AU) and Leading Management Systems Audit Teams (TL). Brian started his medical device career in anesthesia clinical research in 1985 and has since worked both academia and industry including many years with Johnson & Johnson, Baxter Healthcare, and GE Medical. Brian’s roles have included software engineering, systems engineering, quality assurance, and regulatory affairs. Brian has served on multiple AAMI TIR working groups, including TIR32-2008 (Application of ISO 14971 Risk Management to Software; now IEC 80002-1) and TIR45-2012 (Guidance on the use of Agile practices in the development of medical device software) and served as a reviewer for the 2nd edition of TIR45. Brian serves on the AAMI Software Committee and as an AAMI instructor for the software, design controls, and agile methods courses. Brian also is a member of the Underwriters’ Laboratories (UL) Standards Technical Panel for UL1998 (Software in Programmable Components) and or UL5500 (Remote Software Updates).

SoftwareCPR Training Courses

ISO13485:2016 ISO 13485 Internal Audit(or) Training Course (Live, 3-day)

IEC 62304 and other Emerging Standards Impacting Medical Device Software (Live, 3-day)

Being Agile & Yet CompliantISO 14971 SaMD Risk Management

Software Risk Management

Medical Device Cybersecurity

Software Verification

IEC 62366 Usability Process and Documentation

Or just email training@softwarecpr.com for more info.

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
office@softwarecpr.com
Partners located in the US (CA, FL, MA, MN, TX) and Canada.