Page 145 - Safety Risk Management for Medical Devices
P. 145
124 Safety Risk Management for Medical Devices
Figure 14.1 Safety and security relationship.
Traditionally, malicious actions are excluded from safety risk analysis, i.e., the
hazard of someone using a medical device as a weapon is not included in safety risk
analysis. However, because malice is a normal and expected part of security risk
threats, we will include Group 1 in the safety risk impact assessment.
Group 2 is a valid input from Security Risk Analysis that should be captured in
the Causes/Mechanisms of Failure in the Use-Misuse Failure Modes and Effects
Analysis (UMFMEA). In this case, the security threat can potentially damage a
function of the System, which may then have a safety impact.
Group 3 is already covered under UMFMEA.
Risk management involves the identification of Hazards and the estimation of risks
due to those Hazards. Risk estimation requires knowledge of the probability of occur-
rence of Hazardous Situations. In the case of security-related Hazards, estimation of
probability of an exploit is very difficult. Conventional wisdom suggests using motiva-
tion as an indicator of the likelihood of an attack. But experience has shown that
motivation plays a smaller role than people think. For many attackers, the challenge of
a break-in and the thrill of the exploit is enough reward.
It’s important to consider that while security threats can have an adverse safety
impact, the security Risk Controls themselves could create safety Hazards. Estimating
the probability of occurrence of a Hazard from a security Risk Control is as difficult
as estimating the probability of occurrence of a software failure.
The FDA has released a guidance titled: Postmarket Management of Cybersecurity
in Medical Devices [25]. In this guidance, the FDA states that “estimating the
