Medical cyber

Why You Need a Secure Product Development Framework for Medical Device Cybersecurity

By Milton Yarberry and Stephanie Van Ness

A Secure Product Development Framework (SPDF) is a set of processes that help identify and reduce the number and severity of vulnerabilities in products. It encompasses all aspects of a product’s lifecycle, including design, development, release, support and decommission.

Think of the SPDF as a cybersecurity management system that rolls up under your Quality Management System (QMS), and contains cybersecurity-specific procedures and templates that uniquely address medical device cybersecurity requirements.

Is an SPDF essential? Absolutely. 

That’s because the Federal Food, Drug & Cosmetic Act, section 524B, requires assurance that devices are cybersecure. Section 524B says a sponsor of an application shall “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.” It also requires Software Bill of Materials (SBOMs), monitoring of vulnerabilities, and software updates. 

In the guidance the FDA is clear that cybersecurity is part of device safety and the quality system (QS) regulation. An SPDF is highlighted as a way of meeting QS regulations and FDA expectations.

A Strong Foundation for a Secure Product Development Framework

Standards IEC 81001-5-1 and ANSI/AAMI SW96:2023 make for a strong foundation for a SPDF because both were developed specifically for medical devices and Software as Medical Devices (SaMD). They are recognized by the FDA as consensus standards and by other regulatory bodies around the world.

IEC 81001-5-1 provides guidance for SPDF activities over the lifecycle of the product. While it is a cybersecurity software only standard, our SPDF fills gaps so that security for both hardware and software are covered.

Another very nice aspect of IEC 81001-5-1 is that it was specifically developed to be an extension to your existing safety and effectiveness QMS and also your software lifecycle processes. So this standard is a good complement to ISO 13485: Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes, and IEC 62304: Medical Device Software – Software Life Cycle Processes.

While IEC 81001-5-1 has a small section on risk management, ANSI/AAMI SW96:2023 is a dedicated risk management standard and much more comprehensive. ANSI/AAMI SW96 is based on the widely adopted Technical Information Reports: AAMI TIR57 and TIR97. AAMI SW96 covers risk through the total product lifecycle and was developed as a complement to your existing safety and effectiveness risk management process, such as ISO 14971: Medical Devices – Application of Risk Management to Medical Devices.

Why Choose Integrated Computer Solutions?

The FDA may send a deficiency letter to applicants when there are major gaps in a submission or minor deficiencies that persist after initial communication. This temporarily puts the marketing application on hold until the FDA receives the requested information. Having a process based on FDA consensus standards, using that process, and making sure all FDA recommendations are addressed is a recipe for fast acceptance by the FDA – and for avoiding costly and time-consuming deficiency letters.

Implementing our SPDF provides confidence that your premarket submission process will not get bogged down with costly and time-consuming delays responding to a potential FDA deficiency letter. We have mapped IEC 81001-5-1 and AAMI SW96 to our SPDF to make sure we completely cover both. In addition, we have mapped all of the FDA’s cybersecurity recommendations from their premarket and postmarket documents. 

Our SPDF:

  • Complies with FDA’s premarket and postmarket medical device cybersecurity recommendations
  • Is based on IEC 81001-5-1, a FDA consensus cybersecurity standard
  • Includes security risk management based on ANSI/AAMI SW96:2023, an FDA consensus standard
  • Easily integrates with your existing QMS and risk management processes
  • Includes a complete set of cybersecurity premarket FDA submission templates matching eSTAR terminology
  • Encompasses cybersecurity SPDF procedures and templates to support all security processes needed for an FDA inspection
  • Developed by specialists with over 50+ years of medical device, quality management systems, and cybersecurity expertise

To provide you the flexibility to accommodate your individual situation, we offer two different documentation packages. Choose either:

FDA Premarket Submission Templates: 15 templates that the FDA requires for a premarket submission. These templates are comprehensively based on all the FDA’s premarket recommendations.

Full SPDF Package: Includes a cybersecurity SPDF manual, 25 templates including the 15 required for a FDA premarket submission, and 25 procedures that enable users in populating the templates. This package provides all documentation needed to establish a cybersecurity SPDF that complements your existing QMS – everything you need to create all premarket cybersecurity information required by the FDA in the shortest amount of time and with the highest level of confidence of acceptance.

Learn more about our SPDF and related services or reach out to our experts to see how it may meet your medical device cybersecurity needs.