Show:
FDA Basics
Regulatory Pathways
Risk Management
Security Management
Technical Cybersecurity
200

What does FDA stand for?

Food and Drug Administration.

200

What does one have to demonstrate to the FDA for 510(k) clearance?

Substantial equivalence.

A manufacturer must demonstrate to the FDA that their medical device is substantially equivalent to a legally marketed predicate device in terms of intended use and technological characteristics, without raising new safety or effectiveness concerns.

200

What is defined as physical injury or damage to the health of people, or damage to property or the environment?

Harm.

200

True or false? It is typically okay to incorporate security risk management into safety risk management (especially for simple devices).

False. Previously, FDA had been more open to combining the two processes and we’d suggested (for simple devices) that our clients keep them combined. FDA has been clear in their 2023 guidance and in their newest eSTAR templates that the two processes need to be separate.

200

What is defined as any circumstance or event that could harm a device, organization, or individuals by compromising an information system through unauthorized access, destruction, disclosure, modification, or denial of service?

Threat.

400

How many classes of medical devices are there?

Three: Class I, Class II, and Class III.

400

How many days does the FDA typically take to review a 510(k) submission?

90 days.

400

Which document describes the steps in a device’s risk management process (in our templates anyway)?

Risk Management Plan.

400

What is defined as a device that—(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats

A Cyber Device.

400

Name a threat modeling methodology.

STRIDE

Attack Trees

600

Which department of the U.S. government oversees the FDA?

The Department of Health and Human Services (HHS).

600

What is a De Novo submission?

An FDA regulatory pathway for novel, low to moderate risk medical devices that lack a legally marketed predicate.

600

What combination of factors defines risk?

The combination of the probability of harm occurring and the severity of that harm. This is from the commonly used standard ISO 14971.

600

What is multi-patient harm?

The concept of “multi-patient harm” is introduced in the 2023 FDA Cybersecurity Guidance.

A device can cause “multi-patient harm” if a cybersecurity incident could result in multiple patients being harmed “simultaneously or in rapid succession”

600

What does STRIDE stand for?

  • Spoofing
  • Tampering
  • Repudiation
  • Information Disclosure
  • Denial of Service
  • Elevation of Privilege
800

What differentiates Class III devices from Class I and II devices?

Class III devices sustain or support life, are implanted, or present a high risk of illness or injury.

800

What is the most stringent and time-consuming FDA pathway?

Premarket Approval (PMA). It requires extensive scientific and clinical evidence to demonstrate safety and effectiveness.



800

What is the difference between hazard and harm?

Hazard is the cause, while harm is the consequence.

A hazard is a potential source of harm. It is something that can cause injury, damage, or negative effects. Harm is the actual injury, damage, or adverse effect that results from exposure to a hazard.

Hazard example: Sharp edges on a device

Harm example: A patient getting cut by sharp edges

800

Name a security standard that the FDA recognizes

ANSI/AAMI SW96, AAMI TIR57, AAMI TIR97

IEC 81001


800

Define Repudiation from STRIDE.

Doing something bad and claiming to not have done it

Repudiation in STRIDE refers to the threat where a user or system denies performing an action, such as a transaction or data modification, without a way to prove otherwise

1000

In what year was the FDA officially established?

1906

1000
In what situation does the FDA 90-day clock NOT stop? Name one.

- Interactive Review

- Submission Issue Request


1000

What is residual risk?

The risk that remains after all risk control measures have been implemented.

1000
Name 4 of the security control categories outlined in the 2023 Cybersecurity Guidance.

4 out of the following:

A. Authentication
B. Authorization
C. Cryptography
D. Code, Data, and Execution Integrity
E. Confidentiality
F. Event Detection and Logging
G. Resiliency and Recovery
H. Firmware and Software Updates

1000

CVSS scores range from 0.0 to 10.0. What range of scores is categorized as "High" severity?

Low (0.1–3.9)

Medium (4.0–6.9)

High (7.0–8.9)

Critical (9.0–10.0)