Understanding Cybersecurity Measures and Metrics for Medical Devices | Ep. 31 - Full Transcript | The Med Device Cyber Podcast

Hi, welcome back to The Med Device Cyber Podcast. Today we're going to talk about measures and metrics, a commonly misunderstood topic. Measures are different than metrics, and the FDA is looking for very specific things in a 510k or PMA submission. We'll cover these in enough detail so you can have a decent understanding of them. I'm Christian Espinosa, your co-host here with Trevor Slatterie. How are you doing today, Trevor? Doing good. Getting some nice weather right now. Are you in Sedona? I am in Sedona. Yeah. You know, I did use AI once to create a snippet of one of our podcasts, and it mentioned the guy with the bull in the background. It referenced you as that, and that's where you are. I see the bull picture in the background. Is it a bull or what is that? I think it's a yak or a bull. Something like that. Yeah, it's funny. The AI referred to you as the young man with the bull in the background or something like that. There you go. Cool. All right. So, I think it's important to start with the definition of a measure and then the definition of a metric. A measure is just like a tape measure, right? It's like a quantifiable attribute of something, like how long does it take to apply a patch? How many incidents occurred? That's a measure. Whereas a metric is some sort of calculation derived from a couple of measures, typically usually a percentage. Do you have anything to elaborate on those two? Yeah, so essentially what we're saying is that the metrics are derived from measures, and so they go hand in hand, but they are distinct, separate items. Yeah. So, an example would be a measure: how long does it take to apply a patch? A metric could be your patch management efficiency: the percentage of systems patched within a defined time. So that's a percentage, the metric, versus the duration, which is the measure. Spoiler for what we're going to talk about when we say what the FDA wants to see. That's a spoiler. We'll get there in a few minutes, I'm sure. All right. So now that we understand a measure versus a metric, what does the FDA want to see in terms of measures? We'll start with measures first. Well, I think before we get into the specific measures and metrics, we should talk about how the FDA wants to see us collect the figures that go into this. So, the measures and metrics are these quantifiable figures: how long does it take to apply a patch? How many vulnerabilities are we remediating? And they want to see, now that we're understanding these different measures and metrics, how are we getting the information to provide this? And so the first thing, when we're looking at the required FDA documentation, they combine the total product life cycle considerations into the measures and metrics when you're looking at the headings throughout FDA guidance and through the eSTAR submission process. And so the first area that the FDA wants to see you cover is how you are identifying, addressing, and mitigating vulnerabilities, which it's essentially three separate and comprehensive questions, but it should talk about your vulnerability management process, any tools, any processes that you're using for collecting these vulnerabilities, and then how you're tracking it once you've identified them. Well, I think the measures that go with that are once you've identified a vulnerability and you've verified it actually is a real vulnerability, what's the risk associated with it? And then if the risk is critical, how quickly should that be patched versus if the risk is low, as an example, that duration would be a measure. Right? Yeah. Yeah. And that feeds directly into, we can, well, we can talk about what the measures and metrics are and then work backwards from how we get to these figures. So, the FDA wants to see as one of the first points what your percentage of identified vulnerabilities that are updated or patched is. And so, especially with a complicated device, you can get hundreds, if not thousands, of vulnerabilities at a single time. And so seeing these come in, how are you triaging them based on severity? Like you mentioned, it's going to be more important to handle these critical vulnerabilities as opposed to these low vulnerabilities. What is your timeline for remediation in just general patch cycles? And so if you're following sprints, which a lot of engineers and manufacturers like to follow that development cycle, what are your sprint cycles looking like? How many vulnerabilities are you remediating per sprint cycle? You should be looking at close to 100% of critical vulnerabilities as possible, and then you can start tapering off as you go down lower in risk. So, what are the typical measures then for what you just talked about? Because this comes up quite often if I have identified a high-risk item or critical risk item. What are the typical timelines that should be applied to get that patch rolled out?