• State TI Thinks Resolved
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 114 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3235MODASF: How to perform Cybersecurity Testing for medical product

Jerry Kuo
Expert 3525 points
Part Number: CC3235MODASF
Other Parts Discussed in Thread: CC3235MODSF

Hi team,

My customer use CC3235MODSF on medical product. For selling on the local market, they need to submit Cybersecurity Testing report to the government. 

Please instruct how to perform Cybersecurity Testing on CC3235MODSF. Thank you.

The Cybersecurity test mainly includes below two items.

  1. Vulnerability Scanning
  2. Penetration Testing

Government doesn't define the test plan step by step. They just ask manufacturer to provide testing report. Then government verify if the report is complete.

Below link is the test analysis example from government. Please refer to chap 3.5. Sorry, they just have Chinese version.

Analysis example for Cybersecurity Testing Methodology

My customer said above guide is similar to US or EU guide.

US FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Draft Guidance for Industry and Food and Drug Administration Staff (fda.gov) (P.23 Item 4.)

EU MDCG Guidance on Cybersecurity for medical devices (P.22  3.7 Verification/Validation)

  • 0
    TI__Guru 61446 points

    Hi, 

    We don't have any CyberSecurity report that we can share.

    The CC3235 passed FIPS validation (for the crypto algorithms) and the report can be found here.

    Kobi

  • 0 in reply to Kobi Leibovitch
    Guru 73255 points

    Hi Jerry,

    It looks that your customer did not understand point of cyber security. Because each device is unique with unique feature sets, it cannot exist universal "checklist". Your customer need to do risk assessment and according them specify required steps (penetration testing, code audit, security audit, etc.). How should look risk assessment depends on product type and legal requirements for such product.

    If you customer does not have experience at Cyber security field, he should ask 3rd party company for security audit.

    Jan