SaMD Design Inputs for FDA Regulatory Considerations

---

Design Inputs are critical in establishing and memorializing the intended use of the SaMD, the environment, safety, security, privacy and overall compliance requirement. 

Information from the user requirements should be used to document the basis for the development of quantifiable engineering inputs for SaMD realization as defined in a Design and Development Plan. 

The requirements development process may be iterative and continue through the completion of the Design Outputs prior to verification. Design Input documents shall be reviewed, approved, and revision controlled.

One of the areas that development teams struggle with is setting requirements for data protection and information security for the SaMD, especially when planning commercialization in countries subject to GDPR. These requirements must reflect the need for data protection and information security and should be included as part of the Design and Development Plan. 

When requirements for data protection and security, tolerance levels, data protection impacts, and security risks are established early, the engineering team will already know which requirements they need to meet and can therefore mitigate the risks associated with data protection and information security throughout the SaMD development process.

It is important to know what categories of data will be processed by the SaMD or product, what conclusions can be drawn about individuals based on the data being processed, who is the user and owner of the data, and if deploying in the EU, who is defined as the controller, and if applicable, who is the data processor or recipient of the personal data. This is necessary for determining which laws, rules, guidelines, and codes of conduct are applicable to the software being developed. 

Clear and concise information about how the data will be used is fundamental to ensure protection of data subject’s rights. The SaMD must make it easy for the data subjects to exercise their rights, such as access, information, rectification, restriction, and data portability. SaMD developers must ensure the security of data during e.g., collection, storage, alteration, viewing, communication, and deletion. Encryption and access control are examples of measures that can be used to help ensure security.

The SaMD security requirements are best determined by identifying which risks the SaMD may be exposed to, and which risks the SaMD developer/manufacturer is willing to take. 

Defining risk tolerance levels

Risk assessment is about identifying the potential consequences of different incidents or scenarios and assessing how likely or easy it is that an unwanted incident occurs. SaMD manufacturers should establish the degree of risk they are willing to take in different scenarios. This is called risk tolerance. This tolerance level provides guidance on what measures and resources need to be put in place to ensure that the SaMD does not exceed the defined level of acceptable risk. 

Security Risk Assessment

A risk assessment begins with mapping values that should be secured. A threat assessment should be carried out to identify which actors could be interested in the values, and which attack vectors different threat actors use. An evaluation is then carried out to determine which values are vulnerable to any given threat. Information security standards can help to detect vulnerabilities, thus also identifying the requirements that need to be established for data protection and security. The result of the risk assessment should be assessed against the security tolerance level. If the risk level is higher than the pre-determined level of acceptable risk, measures must be implemented to mitigate the risk. It is also necessary to determine who will be responsible for the measure, and to set a deadline for implementation.

Generally, the following security design inputs are to be considered:

• Confidentiality. Personal data must be secured against unauthorized disclosure or access.
• Integrity. Personal data must be secured against accidental and unlawful destruction, loss, or alteration.
• Availability. Personal data must be available to authorized personnel who require it for their work.
• Resilience. SaMD must be able to resist vulnerabilities, attacks, and accidents.
• Traceability. The documentation of changes made within the SaMD and to personal data. The purpose of traceability is to manage security breaches.

Special consideration for :

SaMD Access control

• Users must be identified;
• Which roles should have which rights (principle of least privilege);
• It is possible to control traceability when auditing logs;
• Users are granted access only to information necessary for the performance of individual tasks (principle of least privilege);
• Administrator privileges are given to a small number of individuals based on principle of least privilege;
• The data subjects have access to their own personal data;
• Passwords are securely handled, and the software requires strong passwords.
• The SaMD supports and requires strong authentication (such as two-factor authentication) where necessary (e.g., users may be encouraged to use it, while it is required of administrators and users with access to personal data requiring protection or personal data on multiple subjects);
• The SaMD must monitor if and when anyone attempts to gain unauthorized access; and
• The SaMD must restrict access by third parties, and limit what a third party may access (e.g., restrict access to specified IP addresses or provide temporary and limited access).

The SaMD must ensure that there is appropriate and sufficient information security during the storage and communication of data. Encryption can help to achieve this. When using encryption, widespread and recognized algorithms and methods must be used at all times, with a sufficient key length. Minimum requirements must be set for administration, specifying how often security algorithms must be reviewed and updated

• at endpoints (PC, laptop, telephone, tablet)
• upon remote access 
• upon transfer and storage via cloud services 
• for backup and security copies, and units containing backup data

The SaMD must protect the integrity of data and be able to detect changes in files, servers, and networks, by:

• comparing hash values and checksums
• limiting write access
• regular integrity checks
• setting reference values (min/max)

The SaMD must ensure that personal data is available when necessary through

a. Redundancy

b. contingency plans

c. incident management

d. the software must be able to restore availability and access to personal data in a timely manner in the event of a physical or technical incident

The SaMD must be resilient. It must:

a. be secured against known security holes and vulnerabilities

b. be correctly configured

c. ensure segmentation of stored data, systems, processors, and networks

d. ensure that third party software and patches are kept up-to-date

e. be capable of receiving notifications from users and others about vulnerabilities in the software, and of ensuring that they are managed and taken seriously ensure the secure destruction of media that process personal data

The SaMD must allow changes to be traced and enable management of security breaches by:

a. documenting software and procedures

b. logging configuration changes, processes, activities, and incidents

c. access control to logs based on the principle of least privilege and only when access is specifically required

d. deleting or anonymising logs after a given deadline

e. not storing logs for longer than necessary