FDA updates recognized consensus standards

On June 7^th, 2021, the FDA updated their database of recognized consensus standards. This update included two new items related to medical device software. These two items are IEEE standards that are relevant to all medical devices that claim interoperability with other networked entities. They are being recognized based on their scientific and technical merit since it aligns with existing regulatory policies.

IEEE Std 11073-40101-2020 Health informatics – Device interoperability Part 40101: Foundational – Cybersecurity – Processes for vulnerability assessment. (insert link)

This standard defines an approach for identifying cybersecurity vulnerabilities and estimating risk using the STRIDE classification scheme. The assessment includes system context, system decomposition, pre-mitigation scoring, mitigation, and post-mitigation scoring and iterates until the remaining vulnerabilities are reduced to an acceptable level of risk.

IEEE Std 11073-40102-2020 Health informatics – Device interoperability. Part 40102: Foundational – Cybersecurity – Capabilities for mitigation. (insert link)

This standard defines a security baseline of application layer cybersecurity mitigation techniques for certain use cases or for times when certain criteria are met. This standard provides a scalable information security toolbox appropriate for PHD/PoCD interfaces, which fulfills the intersection of requirements and recommendations from National Institute of Standards and Technology (NIST) and the European Network and Information Security Agency (ENISA). It maps to the NIST cybersecurity and STRIDE frameworks.

See another post on consensus standards:  FDA recognizes Defect Taxonomy Consensus Standard