There are 8 security controls that must be included as a minimum. Those are included in the eSTAR and the help Java script window explains each one. The list of 8: A) Authentication controls: B) Authorization controls: C) Cryptography controls: D) Code, data, and execution integrity controls: E) Confidentiality controls: F) Event detection and logging controls: G) Resiliency and recovery controls: H) Firmware and software update controls:
This was great-thanks for hosting, Rob. I have a question: If penetration testing identifies cybersecurity vulnerabilities in a mobile medical app, is it necessary to conduct and document a complete impact assessment and regression analysis of the software before implementing the cybersecurity fix? After the issue is resolved, would it be required to develop a regression testing report, or is it sufficient to simply fix the cyber vulnerability and document that it was addressed?
Usually you don't want to submit software for pen testing until it is "bug free." So the last thing you are probably going to do is validate the software to make sure your last few bugs are gone. But you don't need an impact assessment and regression analysis before you submit the software for pen testing. After vulnerability testing and pen testing are completed, you will have a new list of things to fix. After you fix the security issues, you should probably repeat your validation again before sending it back for pen testing. This would be the logical time to develop your validation testing report, but you could also do it after the final security testing. Hopefully, the second time the security issues are gone and you don't have to repeat the process a third time.
Great question. The FDA states that the qualifications of the tester need to be documented, but the requirements do not include specific training in medical devices.
Loved the conversations, and the Q&A! Thanks for having us!
Looking forward to a new cybersecurity topic next month. Maybe someone will post a great question in the comments for us to address next month.
Thanks for this!
Sure thing!
This webinar was very informative. Looking forward to future ones. Thank you Rob and Red Sentry!
Thank you. We are looking forward to more videos with Red Sentry too.
Thank you for taking the time to do this interview Valentina. We really appreciate your help.
Thank you for helping us to understand. could you please let me know security control for this
There are 8 security controls that must be included as a minimum. Those are included in the eSTAR and the help Java script window explains each one. The list of 8:
A) Authentication controls:
B) Authorization controls:
C) Cryptography controls:
D) Code, data, and execution integrity controls:
E) Confidentiality controls:
F) Event detection and logging controls:
G) Resiliency and recovery controls:
H) Firmware and software update controls:
This was great-thanks for hosting, Rob. I have a question: If penetration testing identifies cybersecurity vulnerabilities in a mobile medical app, is it necessary to conduct and document a complete impact assessment and regression analysis of the software before implementing the cybersecurity fix? After the issue is resolved, would it be required to develop a regression testing report, or is it sufficient to simply fix the cyber vulnerability and document that it was addressed?
Usually you don't want to submit software for pen testing until it is "bug free." So the last thing you are probably going to do is validate the software to make sure your last few bugs are gone. But you don't need an impact assessment and regression analysis before you submit the software for pen testing. After vulnerability testing and pen testing are completed, you will have a new list of things to fix. After you fix the security issues, you should probably repeat your validation again before sending it back for pen testing. This would be the logical time to develop your validation testing report, but you could also do it after the final security testing. Hopefully, the second time the security issues are gone and you don't have to repeat the process a third time.
any specfice requriement for tester to be certification for testing medical device
Great question. The FDA states that the qualifications of the tester need to be documented, but the requirements do not include specific training in medical devices.