Good Cyber Hygiene

good cyber hygiene

Certainly everyone with any connection to information technology and networked devices is concerned with cybersecurity. However, often we just miss the basics – we do not practice good cyber hygiene. While not intended to be comprehensive or state-of-the-art, here are some security basics (or as some call it, “cyber hygiene”) that one should consider when developing devices that will be networked.

  1. Use a firewall and periodically maintain its configuration
  2. Change those vendor supplied defaults for usernames, passwords, identifiers, etc.
  3. Encrypt data at-rest and in transport. It’s just too easy to always protect data. Just do it.
  4. Use anti-virus software on development systems, test systems, and other systems that “touch” the product
  5. Install vendor supplied security patches
  6. Limit access to data – de-identify data early in the process.
  7. Obviously, use unique IDs for authentication and add something that is not obvious, e.g., 4 digit number added to first name and last name
  8. Restrict access to physical locations where data is retained
  9. Manage users, both incoming and termination, and monitor activity
  10. Periodically test security layers and re-assess acceptability
  11. Create policy in addition to procedure for security expectations for employees and sub-contractors
  12. Any cybersecurity expectations of our customers/users should be clearly communicated in product labeling

FDA has provided two guidance documents (find them on our Popular Resources page) and there are standards and technical reports that can be helpful as well.  Here are a few that we recommend:

Our partner Sherman Eagles provides periodic updates on standards and technical reports affecting medical device systems and software, and also provides a unique, one-of-a-kind concierge-level mentoring.  See our subscription options to start receiving Sherman’s updates today and engage with Sherman to raise your quality system bar!

About the author

Brian Pate helps medical device companies achieve efficient and FDA regulatory compliant product development to produce higher quality and clinically valued software. He began his career in clinical research in 1985 with the Department of Anesthesiology at UAB developing closed-loop control systems for the automated delivery of gases and control. In 1990, he made the switch from university research to the medical device industry designing control systems, communication interfaces, user interface, and other software for real-time embedded systems and clinical information systems, working for medical device companies including Johnson & Johnson, Baxter Healthcare, and GE Medical. Today, he is a Partner and the General Manager of Crisis Prevention and Recovery LLC (dba SoftwareCPR®), a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software. He has taught the AAMI/FDA course on Software Regulation to FDA Reviewers at FDA and is currently the lead faculty for the public version of that course taught annually along with FDA staff. Brian served on the AAMI/FDA TIR working group that created AAMI TIR32 Guidance on the application of ISO 14971 to Software (later superseded by IEC 80002-1). He later served on the original AAMI/FDA working group that created the AAMI TIR45-2012 TIR Guidance on the use of Agile practices in the development of medical device software and is currently the co-chair leading the creation of the 2nd edition of TIR45. He has served as faculty for all offerings of the AAMI/FDA Compliant Use of Agile Methods public course. Brian also served as an instructor for the AAMI Design Controls course. He is also a member of the Underwriters’ Laboratories Standards Technical Panel 5500, Remote Software Updates. He now serves as a member of the AAMI Software Committee.

Upcoming Training

62304, FDA, and Emerging Standards for Medical Device and HealthIT
Planned Instructors:  Brian Pate, John F. Murray, Jr
Location: Sunnyvale, CA, USA
Dates:  February 4-6, 2020

QSS Software Validation
Planned Instructors:  Brian Pate, John F. Murray, Jr
Location: Boston, MA, USA
Dates:  June 4-6, 2020

To pre-register and get info on deep discounts or if you have questions, email training@softwarecpr.com

Corporate Office

15148 Springview St
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN) and Italy.