A security company indicated the following:
… many companies received emails from Amazon indicating that their AWS S3 bucket policies were left configured as “publicly accessible”. These publicly accessible policies allow potentially sensitive cloud data exposed to cybersecurity threats, and likely are not the intention of the Amazon customers.
Amazon recommended that each “bucket” policy be reviewed as well as contents within each S3 bucket. Additionally, S3 buckets set to allow “Any Authenticated AWS User” is still effectively granting global access. Amazon’s advice is beneficial, particularly for medical device companies, and should trigger a review of not only the AWS policies and data within each bucket, but also overall software validation and cybersecurity review. AWS S3 clearly is a useful platform that medical device companies can utilize for immense scalability and reliability without the maintenance of in-house, dedicated servers. However, like any off-the-shelf software, the manufacturer should understand the potential safety risks and impact to the intended use of the medical software applications hosted on S3.
FDA has provided guidance on designing for cybersecurity and for maintaining cybersecurity in two separate guidance documents. SoftwareCPR® has particular expertise in cybersecurity and provides independent review and assessments of our clients’ security policies, procedures, secure architecture design, cyber controls, and can also provide various levels of penetration testing.
Our cybersecurity expert allows SoftwareCPR® to offer a full-service approach to assist your company with pre-market and post-market cybersecurity planning, evaluation, vulnerability and validation services. We combine extensive experience with FDA expectations for analysis and control of cyber vulnerabilities with state-of-the-art and highly sophisticated methods and experience. We can support small medical device startups to multi-national corporations, low risk to high risk and simple to complex devices. Our approach is risk-based, using risk and threat analysis early in the process to help prevent late-cycle changes that are costly.