As mentioned in Part 1, the Medical Device Cybersecurity Program (MDCP) was designed to augment the cybersecurity of the STARLIMS Quality Manufacturing Solution. Part 2 will discuss Risk Management Processes.
Risk Management Processes
As mandated by European Union’s GDPR, Abbott Informatics complies with “data protection by design” for their products to implement risk mitigation practices. Their product risk profiling tool selects the most appropriate risk assessment practices. After the tool determines the risk level, the two methodologies below are applied.
1) Security Risk Assessment (SRA)
After being identified by the risk profiling tool, Abbott’s high risk products undergo the Security Risk Assessment process. Using foremost industry practices and frameworks for security risk management such as CLSI AUTO11-A2, ISO 80001, NIST 800-53, and NIST CSF, SRA also complies with the Food & Drug Administration and NIST 800-30’s guidance through the following features:
• Asset, threat, and vulnerability identification
• Capability assessment of vulnerability or threat
• Cybersecurity controls that were considered listing
• Impact assessment of vulnerabilities on patients/end users and product functionality
• Risk level determination and appropriate strategies for mitigation
• Traceability matrix linking utilized cybersecurity controls compared to the considered cybersecurity risks
2) Technical Security Testing (TST)
Based on the product’s functionality and its risk level, a determination is made for enacting the TST process. The process features both active and passive testing with the following features:
Application Security Testing – Testing of API security, application transaction security, architecture security, common risks, external library security, and web application security.
Firmware Security Testing – Analyses of firmware extraction, firmware source code, file system, and firmware/patch management, along with the testing of firmware protection security.
Hardware Security Testing – Analysis of physical security and testing of anti-tamper protection, debugging interfaces security, and product’s cybersecurity features.
Network Security Testing – Testing of communication protocol security, network services security, and wireless security testing.
Part 3 will discuss Cybersecurity Product Features.
Alpha Engineering LIMS Implementation
Alpha Engineering Associates, Inc. has been involved with the implementation of over 50 LIMS systems ranging in size from small, “off-the-shelf” software systems to very large, highly customized, multi-functional systems, including STARLIMS, for both governmental agencies and private enterprises. For affordable client-focused network consulting services and solutions, please call Alpha Engineering Associates today at (410) 295-9500.