FDA Basics
What does FDA stand for?
Food and Drug Administration.
What does one have to demonstrate to the FDA for 510(k) clearance?
Substantial equivalence.
A manufacturer must demonstrate to the FDA that their medical device is substantially equivalent to a legally marketed predicate device in terms of intended use and technological characteristics, without raising new safety or effectiveness concerns.
What is defined as physical injury or damage to the health of people, or damage to property or the environment?
Harm.
True or false? It is typically okay to incorporate security risk management into safety risk management (especially for simple devices).
False. Previously, FDA had been more open to combining the two processes and we’d suggested (for simple devices) that our clients keep them combined. FDA has been clear in their 2023 guidance and in their newest eSTAR templates that the two processes need to be separate.
What is defined as any circumstance or event that could harm a device, organization, or individuals by compromising an information system through unauthorized access, destruction, disclosure, modification, or denial of service?
Threat.
How many classes of medical devices are there?
Three: Class I, Class II, and Class III.
How many days does the FDA typically take to review a 510(k) submission?
90 days.
Which document describes the steps in a device’s risk management process (in our templates anyway)?
Risk Management Plan.
What is defined as a device that—(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats
A Cyber Device.
Name a threat modeling methodology.
STRIDE
Attack Trees
Which department of the U.S. government oversees the FDA?
The Department of Health and Human Services (HHS).
What is a De Novo submission?
An FDA regulatory pathway for novel, low to moderate risk medical devices that lack a legally marketed predicate.
What combination of factors defines risk?
The combination of the probability of harm occurring and the severity of that harm. This is from the commonly used standard ISO 14971.
What is multi-patient harm?
The concept of “multi-patient harm” is introduced in the 2023 FDA Cybersecurity Guidance.
A device can cause “multi-patient harm” if a cybersecurity incident could result in multiple patients being harmed “simultaneously or in rapid succession”
What does STRIDE stand for?
What differentiates Class III devices from Class I and II devices?
Class III devices sustain or support life, are implanted, or present a high risk of illness or injury.
What is the most stringent and time-consuming FDA pathway?
Premarket Approval (PMA). It requires extensive scientific and clinical evidence to demonstrate safety and effectiveness.
What is the difference between hazard and harm?
Hazard is the cause, while harm is the consequence.
A hazard is a potential source of harm. It is something that can cause injury, damage, or negative effects. Harm is the actual injury, damage, or adverse effect that results from exposure to a hazard.
Hazard example: Sharp edges on a device
Harm example: A patient getting cut by sharp edges
Name a security standard that the FDA recognizes
ANSI/AAMI SW96, AAMI TIR57, AAMI TIR97
IEC 81001
Define Repudiation from STRIDE.
Doing something bad and claiming to not have done it
Repudiation in STRIDE refers to the threat where a user or system denies performing an action, such as a transaction or data modification, without a way to prove otherwise
In what year was the FDA officially established?
1906
- Interactive Review
- Submission Issue Request
What is residual risk?
The risk that remains after all risk control measures have been implemented.
4 out of the following:
A. Authentication
B. Authorization
C. Cryptography
D. Code, Data, and Execution Integrity
E. Confidentiality
F. Event Detection and Logging
G. Resiliency and Recovery
H. Firmware and Software Updates
CVSS scores range from 0.0 to 10.0. What range of scores is categorized as "High" severity?
Low (0.1–3.9)
Medium (4.0–6.9)
High (7.0–8.9)
Critical (9.0–10.0)