A client recently asked us what cybersecurity documentation they needed to include in their 510(k) if their device only includes a USB port (i.e., it doesn't have internet connectivity). In this article, we offer the suggestions we gave. In this article, we provide the suggests we offered them. We hope they’re useful to you.
If your team is in a hurry to complete a 510(k) submission, you may be interested in our Fast 510(k) Service.
Key Documents 🔗
If your device does not connect to the network and the USB port is only used for exporting reports and applying software updates, then we believe the cybersecurity risk for the device is relatively low in many cases. The most recent cybersecurity guidance is from 2014, but we usually suggest that people also follow parts of the 2022 draft guidance too. In this case, we suggest the following documents be included in the submission.
Risk Management 🔗
Perform a cybersecurity risk analysis (and given how few you will likely have, it’s likely simplest to include your security risk management alongside your safety risk management instead of splitting apart your safety and security risk management).
For any security risks identified related to the USB thumb drive, include risk control measures and trace them to the requirements that implement them as well as verification of these requirements (like you’d for all of your other requirements).
User Manual Content 🔗
Include in your user manual any training about how users should interact with the USB thumb drive. Also review Section VI.A of the draft 2022 guidance and include any other relevant content.
Summary Document 🔗
Create a "Cybersecurity Summary" document that includes sections covering the following information:
- A summary of the cybersecurity risks and their mitigation.
- A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness.
- A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer
- A reference to the appropriate section of the user manual.
Additional Documents 🔗
If you want to be more conservative, here are a few additional documents you may want to create.
Software Bill of Materials (SBOM) 🔗
Create a Software Bill of Materials (SBOM) for your product. Check out our article, SBOMs: Best Practices, FAQs, and Examples, for details on how to do this. If you create an SBOM, follow these additional steps:
- Add a section to the "Cybersecurity Summary".
- Include the SBOM in the submission.
- Mention the SBOM in the user manual and provide a mechanism for users to obtain a copy of it (such as by emailing your support).
Vulnerability Monitoring Procedure 🔗
Document and follow a vulnerability monitoring procedure. Typically, this procedure would involve uploading your SBOMs to a third-party service like Black Duck, Snyk, or Fossa, and then periodically triaging any vulnerabilities they find. The procedure should address how to document which vulnerabilities are false positives and which ones should be addressed If you add this step, include a summary of the procedure in the "Cybersecurity Summary" document you include in the submission.
Penetration Testing Record 🔗
Hire a third-party firm to perform penetration testing on the USB port. Include the penetration testing report in the submission.
We hope this article has been helpful. Keep in mind that every situation is unique, so please reach out to us if you need additional assistance. Finally, if documentation work feels like a waste of time, it often is and shouldn't be included.