The reality is Risk Management is one of the more complex aspects of compliance and product efficacy, as risk comes in so many forms and perceptions, and on top of it risk assessments can be interpreted differently across a sector. Often decisions must be made with not enough data to accurately quantify risks. This course teaches the principles and org mindset needed to manage RM and setup cyber security. An Excerpt from ASQ MN presentation by the author Keerthi Gunasekaran

1. UNDERSTANDING RISK MANAGEMENT IN MEDICAL
DEVICES
Covers Principles and RM Mindset to tackle Risk Management while staying compliant to FDA
requirements
Excerpt from ASQ 2019 MN Quality Conference presentation by Keerthi Gunasekaran.
NOTE: The content and views are solely provided by the author, and its made available for
educational purposes . The content is their interpretation, opinions on Risk Management, FDA
regulations and cybersecurity guidance originating from years practicing RM and work
experience. It does not reflect, represent any entities or organizations’ involvement or
inputs.

2. LEARNING OBJECTIVES
- RISK MANAGEMENT THINKING
- UNDERSTAND CYBERSECURITY AND
HOW TO INTEGRATE CYBERSECURITY
INTO RISK MANAGEMENT

3. ENTROPY
• Physics: a thermodynamic quantity
representing the unavailability of a
system's thermal energy for
conversion into mechanical work,
often described as the degree of
disorder or randomness in the
system.
• Lack of order or predictability;
gradual decline into disorder.

4. RISK MANAGEMENT IS ABOUT COMBATING
ENTROPY
……………..THROUGH OUR ASSESSMENT OF
FACTS, REALITY AND PREDICTIONS TO DRIVE A
SET OF ACTIONS

5. UNIVERSAL LAWS OF RISK MANAGEMENT
• Risk should be objective
• Risk assessment process has to be
definitive
• Risk acceptability can be subjective
Example: A external Ventricular Assist
Device (VAD) can be an acceptable risk
for treatment of end-stage heart
failure versus chronic care heart
diseases.

6. SYSTEM ENVIRONMENT
/ CONDITIONS
OUTCOME
ACCEPTABILITY
/ CRITICALITY
FAILURE MODES CAN OCCUR ANYWHERE…
FAILURE MODES RISK MANAGEMENT

7. RISK MANAGEMENT?
Risk Management is the systematic application of management policies, procedures and
practices to the tasks of analyzing, evaluating, controlling and monitoring risk
[Risk Assessment in this context is: Combination of probability of occurrence and severity of harm ]
— Application of Risk Management to Medical Devices Risk Management Process- ISO 14971.7

8. (OPSCon)2 METHODOLOGY
• Outcomes
• Objectives
• Process
• Performance (IFU, Optimization, etc)
• Scenarios (Use Conditions, Experience)
• Safety
• Controls
• Contingencies
COPYRIGHTED – MAY 2019 PROPERTY OF KEERTHI GUNASEKARAN
X
Outcomes
Process
Scenarios
Controls

9. MANAGEMENT OVERSIGHT (COMPLIANCE)
Risk Management Plan
Preliminary Health
hazard Analysis
(PHA)
DFMEA
PFMEA
Clinical Evidence
Reports
Field Events:
Product Impact
Assessment
Periodic Risk
Management
Reporting
Periodic Post-
Market Safety
Reporting
Periodic Product
Quality (Risk)
Reviews
DHF
DMR
DHR
Serv Rec
Complaint
Handling
FCA, HHA
Post-Market Risk Management

10. Field Events
/ Complaints/
Regulations/
Service & Repairs
Filter & Trend Monthly
Report
Review Periodic Reports
Post -Market Trending SOP
and WI
ONGOING POST-MARKET RISK SURVEILLANCE
Improvements

11. CYBERSECURITY RISK MANAGEMENT
ADDITIONAL TOPPINGS ON THE
FAVORITE PIZZA

12. SOUNDS FAMILIAR ?
“AN EFFECTIVE CYBERSECURITY RISK MANAGEMENT PROGRAM
SHOULD INCORPORATE BOTH PREMARKET AND POST-MARKET
LIFECYCLE PHASES AND ADDRESS CYBERSECURITY FROM DEVICE
CONCEPTION TO OBSOLESCENCE.” – FDA CYBERSECURITY POST
MARKET GUIDANCE

13. CYBER ENTROPY
• Lack of order or predictability;
gradual acute decline into disorder
sourced by different bodies with
different intentions

14. GROWING CYBER STAKEHOLDERS LANDSCAPE
Traditional
Stakeholders
Stakeholders
Patients
Media
Security
Researchers
ICS-CERT
Hospital
IT
Customers
Business
FDA
New / Emerging
Stakeholders
“Ethical Hacking”

15. 15
CYBERSECURITY ADVISORIES
• Their mission is to improve the cybersecurity
posture of 16 critical infrastructure sectors –
which includes medical devices (Healthcare
and Public Health)
• ICS-CERT advisories are public disclosures of
security vulnerabilities to critical
infrastructure to inform on risks and
mitigations

16. CYBERSECURITY EXPECTATION
POST-MARKET CYBER SECURITY PROGRAM INTENT
• Evidence of an ongoing structured and systematic approach in risk management and
quality management systems that entails:
• Methods to analyze, detect, and assess threat sources,
• Methods to identify, characterize, assess and mitigate or recover from a cybersecurity
vulnerability.
• Includes Design Expectations: Maintaining robust software lifecycle processes,
• Using threat modeling for safety and essential performance & communication
- excerpt from post market guidance page 13

17. CYBERSECURITY ESSENTIALS
Confidentiality
• Prevent unauthorized disclosure
Integrity
• Prevent unauthorized modification
Availability
• Functions when needed
Key Design Considerations:
1) Accessibility:
 External Interfaces: analyze & protect
 Communication Technology: key
interface, remotely available
2) Authentication: validating with whom you are
communicating
3) Encryption: protect data
4) Availability: how can this be constrained yet
still meet System design needs?
5) Updates: security updates will be needed,
ensure upgradability is built-in

18. POST-MARKET CYBERSECURITY
ELEMENTS OF AN EFFECTIVE POST-MARKET CYBERSECURITY RISK
MANAGEMENT PROGRAM
Post-market risk management program should contain steps to:
1. Identify,
2. Protect,
3. Detect,
4. Respond,
5. Recover.
Maintain safety and essential performance- Evidence in: FMEA
process, RM reports, Complaint SOPs. Identify cyber security
signals,
Vulnerability Characterization, Risk Analysis & Threat Modeling,
Sources, and Impact Assessment
Compensating Controls Assessment, Risk Mitigation and deploying
mitigations that address cybersecurity risk early and prior to
exploitation
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

19. SECURITY RISK: MANAGE WITH PRODUCT RISKS
Key compliance consideration where
security risks feeds into the overall
product risk analysis:
- Patient Safety Documentation
(Design)
- Hazard / Harm Analysis
- Safety / System Characterization
- Use- Error Analysis
- Complaint Reporting (coding)
- Service and Repairs

20. AUDIT CS QUICK CHECKLIST
 Evidence of cybersecurity in risk management plan,
 Threat or signal sources defined and monitored
 Software lifecycle evaluation contains cybersecurity assessments
 Evidence of Vulnerability Characterization and Assessment
 Threat modeling; Patient harm,
 Risk acceptance criteria.
 Use of “Common Vulnerability Scoring System,” Version 3.0 (page13)
 Post-Market Triage vulnerabilities for remediation
 Post-Market Risk Analysis and Remediation

21. KEY TAKEAWAYS
1. Risk is objective, Risk assessment process has to be definitive but Risk
acceptability can be subjective
2. Risk Management is the systematic oversight of analyzing, evaluating,
controlling and monitoring risk
3. Cybersecurity requires evidence of an ongoing structured and systematic
approach in risk management and quality management systems that
entails: methods to analyze, detect, assess and mitigate threat sources.
4. Cybersecurity is about protecting confidentiality, integrity and availability.
5. Key compliance consideration include patient safety, risk characterization,
user error analysis and complaints and servicing.

22. END.
Increasingly, companies are turning to artificial
intelligence for their products and services.
AI
Pic Credit: Inc

23. APPENDIX

24. DEFINITIONS PER ISO 14971
Important to ensure there is common understanding
of terms and definitions
24

25. MEDICAL DEVICE CYBERSECURITY -FDA GUIDANCE FIRST
RELEASE
• Pre-market oct, 2014
• Post-market dec,2016

26. POST-MARKET
PRE-MARKET NOT DISCUSSED
This guidance applies to any marketed and distributed medical device (+“legacy
devices”) including:
1) medical devices that contain software (including firmware) or programmable logic;
2) software that is a medical device, including mobile medical applications.
3) devices that are considered part of an interoperable system

27. CYBERSECURITY – RM PROCESS ENHANCEMENTS
• Threat Assessment
• STRIDE Methodology
• Attack-Tree Methodology
• Vulnerability Assessment
• CVSS
• FDA-MITRE Healthcare Rubric
• Risk Assessment
• Security Risk Assessment
• Safety Assessment
• Management Oversight
Vulnerability
Threat
Risk
Management

28. STRIDE
STRIDE is a model of threats developed at Microsoft for identifying computer security threats. It provides a
way to screen for security threats in six categories.
• Spoofing of user identity
• Tampering
• Repudiation
• Information disclosure (privacy breach or data leak)
• Denial of service (D.o.S)
• Elevation of privilege

29. CVSS
• The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey vulnerability
severity and help determine the urgency and priority of response. When vulnerabilities are discovered
in medical devices, medical device manufacturers, typically working with the Department of Homeland
Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), use CVSS to
provide a consistent and standardized way to communicate the severity of a vulnerability between
multiple parties, including the medical device manufacturer, hospitals, clinicians, patients, NCCIC, and
vulnerability researchers.
• CVSS and its associated rubric were developed for enterprise information technology systems and do
not adequately reflect the clinical environment and potential patient safety impacts. To address this
challenges, the MITRE Corporation, under contract to FDA, developed a rubric that provides guidance
for how an analyst can utilize CVSS as part of a risk assessment for a medical device.
• This rubric was developed by MITRE in collaboration with a working group of subject matter experts
across the medical device ecosystem, including FDA, medical device manufacturers, healthcare delivery
organizations, security experts, and safety/risk assessment experts.

30. CYBERSECURTIY QMS AND RA AREAS
Areas within QMS in addition to the risk management program:
Quality System areas:
1. FCA (21 CFR 806)
2. Complaint handling (21 CFR 820.198, 803),
3. Quality audit (21 CFR 820.22),
4. Corrective and preventive action (21 CFR 820.100),
5. Software validation and risk analysis (21 CFR 820.30(g))
6. Servicing (21 CFR 820.200).
7. Supplier quality
Regulatory areas:
1. PMA Periodic reports (21 CFR 814.84)

31. REFERENCED IN FDA CYBERSECURITY GUIDANCE
 21 CFR Part 820 Quality Systems Regulations
 820.30 Subpart C – Design Controls of the Quality System
Regulation
 806.10 – Reports of corrections and removals
 807.81 (a)(3)
 806.10(f)
 820.100 Corrective action and preventative action
 7.42 Recall Strategy for elements of a remediation plan
 7 (b)(3) Effectiveness checks
 814.39
 814.84
 820.30(g)
• ANSI/AAMI ES60601-1:2005/(R)2012 and A1:2012, C1:2009/(R)2012
and A2:2010/(R)2012 (Consolidated Text) Medical electrical
equipment— Part 1: General requirements for basic safety and
essential performance (IEC 60601-1:2005, MOD), section 3.27 defines
“Essential Performance” as performance of a clinical function, other
than that related to basic safety, where loss or degradation beyond the
limits specified by the manufacturer results in an unacceptable risk.”
• ISO/IEC 30111:2013: Information Technology – Security Techniques –
Vulnerability Handling Processes (recognized standard)
• ISO/IEC 29147:2014: Information Technology – Security Techniques –
Vulnerability Disclosure
• AAMI TIR57: Principles for medical device security—Risk management
• IEC/TR 80001-2-1:2012 Application of risk management for IT-networks
incorporating medical devices

32. Questions ?
Keerthi Gunasekaran – Email: keerthi@mindwatts.com
.