Chapter 6: eSTAR Submission Documentation · Section 6.5

Cybersecurity Risk Assessment Documentation for eSTAR Submission

6.5.1 Transforming Your Risk Analysis for FDA Review

Your cybersecurity risk assessment (developed through the process in Chapter 3.7) forms the backbone of your security argument to FDA. However, the risk analysis you use internally needs enhancement to meet FDA's submission requirements and demonstrate compliance with regulatory expectations.

The Documentation Evolution Process:

During development (Chapter 3.7), you created:

Risk identification from threat modeling
CVSS-based vulnerability scoring
Initial risk evaluation and prioritization
Basic control selection and implementation

For FDA submission, enhance this foundation by:

Adding explicit clinical context to all risk assessments
Demonstrating systematic integration with safety risk management
Providing comprehensive pre/post-mitigation analysis
Showing clear traceability to controls and testing

6.5.2 Pre-Submission Risk Assessment Review

Conduct a comprehensive review 6-8 weeks before submission to ensure your risk assessment meets FDA standards.

Submission Readiness Evaluation

Completeness Assessment:

All threats from threat model converted to risks
Each risk includes clinical impact analysis
Pre and post-mitigation assessments completed
Risk acceptance rationale documented for all residual risks
Integration with safety risk management demonstrated

FDA-Specific Requirements:

CVSS scoring uses medical device environmental factors
Known exploited vulnerabilities (CISA KEV) addressed
Total Product Life Cycle (TPLC) considerations included
Exploitability assessment appropriate for premarket context
Risk scoring methodology clearly documented

Common Enhancement Gaps

Insufficient Clinical Context Example:

❌ Development-Level Risk:
"RSK-001: Network eavesdropping could expose patient data. 
CVSS: 6.5 (Medium). Control: TLS encryption."

✅ Submission-Ready Risk:
"RSK-001: Patient Data Exposure via Network Eavesdropping
Threat Source: T-015 (Network traffic interception)
Clinical Impact: Unauthorized access to patient PHI including diagnoses, 
treatment plans, and vital signs. Could lead to identity theft, insurance 
fraud, or privacy violations affecting patient trust and care continuity.
CVSS Base Score: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Medical Device Environmental Score: 7.2 (Modified Confidentiality: High 
due to PHI exposure in clinical environment)
Pre-Mitigation Risk: High
Controls: TLS 1.2 encryption (CTL-NET-001), certificate pinning (CTL-NET-002)
Post-Mitigation Risk: Medium
Residual Risk Rationale: Remaining risk from potential certificate 
compromise is acceptable given difficulty of attack and monitoring controls
Safety Risk Transfer: No - privacy impact only, no direct patient safety risk"

Missing TPLC Considerations Example:

❌ Development Analysis:
"Buffer overflow vulnerability patched during development."

✅ Submission-Ready Analysis:
"RSK-023: Memory Corruption via Buffer Overflow
Discovery Context: Identified during security testing (fuzzing)
TPLC Assessment: Similar vulnerabilities likely to be discovered by 
attackers over 10-year device lifetime. Exploitability will increase 
as attack tools evolve.
Premarket Exploitability: Low (requires detailed protocol knowledge)
Projected Post-Market Exploitability: Medium-High (assume public exploits)
Mitigation Strategy: Input validation (CTL-SEC-015), memory protection 
(CTL-SEC-016), plus architectural controls to limit impact
Long-term Monitoring: Component included in ongoing vulnerability scanning"

6.5.3 FDA-Required Risk Assessment Elements

Transform your risk analysis to include all elements FDA expects to see.

Risk Scoring Methodology Documentation

CVSS Implementation for Medical Devices: According to FDA guidance and the MITRE CVSS Rubric for Medical Devices (FDA-qualified MDDT), document:

Risk Scoring Methodology:
1. Base CVSS v3.1 scoring per FIRST specification
2. Medical device environmental modifications per MITRE rubric
3. Clinical impact assessment using device-specific factors
4. Integration with ISO 14971 risk evaluation criteria

Environmental Factors Applied:
- Modified Confidentiality: Considers PHI exposure in clinical context
- Modified Integrity: Accounts for therapy/diagnostic impact  
- Modified Availability: Reflects critical care dependencies
- Safety Impact: Direct patient harm potential assessment
- Collateral Damage Potential: Multi-patient impact considerations

Risk Acceptance Criteria:

Risk Level Definitions:
- Critical (9.0-10.0): Immediate patient harm possible - Not acceptable
- High (7.0-8.9): Potential patient harm - Requires strong controls
- Medium (4.0-6.9): System impact, limited patient risk - Acceptable with controls
- Low (0.1-3.9): Minimal impact - Acceptable with basic controls

Special Considerations:
- Any risk with direct safety impact requires safety risk management evaluation
- CISA KEV vulnerabilities: Not acceptable regardless of CVSS score
- Multi-patient harm scenarios: Elevated response regardless of individual score

Pre/Post-Mitigation Analysis Structure

For Each Significant Risk:

Risk ID: RSK-007
Risk Title: Unauthorized Therapy Parameter Modification
Threat Source: T-003 (Authentication bypass)
Asset: Therapy configuration system

Clinical Impact Analysis:
Direct Patient Harm: Incorrect therapy settings could cause over/under treatment
Severity: Could result in patient death in worst case (insulin overdose)
Affected Population: Individual patient per incident
Time to Impact: Immediate upon parameter change
Detection Likelihood: Medium (depends on clinical monitoring)

Pre-Mitigation Assessment:
CVSS Base Score: 8.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
Environmental Factors:
- Modified Integrity: High (therapy parameter critical)
- Safety Impact: High (direct patient harm possible)
- Collateral Damage: Low (single patient)
Clinical Risk Level: Critical

Mitigation Strategy:
Primary Controls:
- Multi-factor authentication (CTL-AUTH-003)
- Role-based access control (CTL-AUTH-004) 
- Parameter change confirmation (CTL-UI-002)
- Audit logging (CTL-LOG-001)

Post-Mitigation Assessment:
Residual CVSS: 4.3 (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L)
Environmental: Safety impact reduced by confirmation requirements
Clinical Risk Level: Medium
Acceptance Rationale: Risk reduced to level consistent with similar devices; 
remaining risk from insider threat acceptable given strong audit controls

6.5.4 Integration with Safety Risk Management

FDA specifically requires demonstration of security-to-safety risk integration.

Documentation of Transfer Process

Risk Transfer Decision Tree:

For Each Security Risk:
1. Could this compromise essential device functions?
   Yes → Transfer to safety risk management (ISO 14971)
   No → Continue as security risk

2. Could this delay/prevent critical patient care?
   Yes → Transfer to safety risk management
   No → Continue as security risk

3. Could this affect life-supporting/life-sustaining functions?
   Yes → Transfer to safety risk management (Class III consideration)
   No → Document rationale for security-only classification

Transfer Documentation Example:

Security Risk: RSK-012 (DoS attack causing device unavailability)
Safety Risk: SAF-045 (Device unavailable during patient emergency)

Transfer Rationale:
Security risk RSK-012 could prevent device from providing critical 
monitoring during patient emergency. Per ISO 14971, this constitutes 
a safety hazard requiring safety risk management evaluation.

Safety Analysis:
Hazard: Patient monitoring unavailable due to cyberattack
Clinical Situation: ICU patient requires continuous cardiac monitoring
Harm: Missed arrhythmia detection leading to cardiac arrest
Probability: P2 (Improbable but possible)
Severity: S1 (Death)
Risk Level: Unacceptable per ISO 14971 risk matrix

Safety Controls:
- Redundant monitoring systems (SAF-CTL-045)
- Manual monitoring procedures (SAF-CTL-046)
- Automated backup alerting (SAF-CTL-047)

Residual Safety Risk: Acceptable (P3/S1 with controls)

6.5.5 Addressing FDA's Specific Concerns

Anticipate and address FDA's key review focus areas.

Known Exploited Vulnerabilities (CISA KEV)

FDA guidance states: "Vulnerabilities identified in CISA Known Exploited Vulnerabilities Catalog should be designed out of the device."

Documentation Approach:

CISA KEV Assessment:
1. Cross-reference SBOM against current CISA KEV catalog
2. For any matches found:
   - Document immediate remediation (update/patch)
   - If remediation not possible, provide detailed risk analysis
   - Justify why alternative controls provide equivalent protection
   - Include timeline for future remediation

CISA KEV Status: As of [submission date], no components in device 
SBOM appear in CISA KEV catalog. Ongoing monitoring process established 
per cybersecurity management plan to address future KEV additions.

Exploitability Assessment for Premarket Context

FDA notes that premarket exploitability assessment differs from postmarket vulnerability analysis.

Premarket Exploitability Framework:

Exploitability Assessment Methodology:
Base Assumption: Worst-case threat actor with sufficient motivation
Attack Vector: Network accessible interfaces assumed hostile
Exploit Complexity: Assume attackers will develop tools over device lifetime
Prerequisites: Document required access levels and knowledge

Example Assessment:
Vulnerability: Authentication bypass via protocol flaw
Premarket Exploitability: 
- Current: Low (requires detailed protocol reverse engineering)
- Year 3: Medium (assume public analysis available)
- Year 7: High (assume automated tools developed)
- Year 10: Very High (assume widespread exploitation)

Mitigation Strategy: Designed for worst-case (Year 10) assumption
Controls: Protocol redesign eliminating flaw, not relying on obscurity

6.5.6 Risk Assessment Report Structure for Submission

Organize your enhanced risk assessment for optimal FDA review.

6.5.7 Quality Standards and Common Deficiencies

Professional Documentation Standards

Risk Description Quality:

Consistent format across all risk entries
Clear, quantifiable impact statements
Specific control implementation details
Traceable acceptance rationale

Technical Accuracy:

CVSS scores calculated correctly using medical device rubric
Environmental factors appropriately applied
Clinical impacts realistic and well-researched
Control effectiveness properly assessed

Avoiding Common FDA Deficiencies

Incomplete Clinical Impact Analysis:

❌ FDA Deficiency: "Risk assessment does not adequately address 
clinical impact of identified vulnerabilities. Please clarify how 
technical risks could affect patient care."

✅ Prevention: Include explicit clinical scenario for each risk:
- What happens to patient care if this risk occurs?
- How quickly could harm result?
- What warning signs would be available?
- How would clinical staff respond?

Inadequate Safety Integration:

❌ FDA Deficiency: "The relationship between cybersecurity risks 
and safety risks is not clear. Please demonstrate integration 
with ISO 14971 safety risk management."

✅ Prevention: 
- Clear decision criteria for security-to-safety transfers
- Documented safety risk analysis for transferred risks
- Integrated control strategies addressing both domains
- Consistent risk evaluation across security and safety

Insufficient TPLC Consideration:

❌ FDA Deficiency: "Risk assessment appears to only consider 
current threat landscape. Please address how risks may evolve 
over device lifetime."

✅ Prevention:
- Explicit TPLC assumptions in methodology
- Projected exploitability evolution for key risks
- Long-term monitoring and update strategy
- Worst-case scenario planning for risk assessment

6.5.8 Final Submission Preparation

4-Week Pre-Submission Checklist

Content Verification:

All threats from threat model addressed as risks
CVSS scores calculated using medical device rubric
Clinical impact analysis completed for all significant risks
Safety integration documented for applicable risks
CISA KEV assessment current as of submission date

Quality Review:

Consistent risk numbering and cross-references
Professional formatting and presentation
Technical accuracy verified by security team
Clinical scenarios reviewed by clinical experts

Integration Check:

Risk IDs consistent across all submission documents
Controls referenced match implementation documentation
Test coverage addresses all medium/high risks
Architecture views reflect risk mitigation strategies

Remember: Your risk assessment must convince FDA that you've systematically identified, analyzed, and addressed cybersecurity risks that could affect patient safety. The goal is demonstrating thorough analysis and appropriate risk management, not claiming zero risk.

Key Success Factor: The most effective risk assessment submissions show clear progression from threat identification through risk analysis to control implementation and validation. This demonstrates a mature, systematic approach to cybersecurity risk management that FDA expects from responsible manufacturers.

See how your device measures up

Take the free FDA 524B readiness assessment and get a personalized gap report covering this topic and more.

Check Your Readiness