This was great-thanks for hosting, Rob. I have a question: If penetration testing identifies cybersecurity vulnerabilities in a mobile medical app, is it necessary to conduct and document a complete impact assessment and regression analysis of the software before implementing the cybersecurity fix? After the issue is resolved, would it be required to develop a regression testing report, or is it sufficient to simply fix the cyber vulnerability and document that it was addressed?
Usually you don't want to submit software for pen testing until it is "bug free." So the last thing you are probably going to do is validate the software to make sure your last few bugs are gone. But you don't need an impact assessment and regression analysis before you submit the software for pen testing. After vulnerability testing and pen testing are completed, you will have a new list of things to fix. After you fix the security issues, you should probably repeat your validation again before sending it back for pen testing. This would be the logical time to develop your validation testing report, but you could also do it after the final security testing. Hopefully, the second time the security issues are gone and you don't have to repeat the process a third time.
There are 8 security controls that must be included as a minimum. Those are included in the eSTAR and the help Java script window explains each one. The list of 8: A) Authentication controls: B) Authorization controls: C) Cryptography controls: D) Code, data, and execution integrity controls: E) Confidentiality controls: F) Event detection and logging controls: G) Resiliency and recovery controls: H) Firmware and software update controls:
Great question. The FDA states that the qualifications of the tester need to be documented, but the requirements do not include specific training in medical devices.