The NIST Cybersecurity Framework

by | Apr 2, 2021 | Cybersecurity, Digital Health, FDA, Medical Devices

NIST stands for National Institute of Standards and Technology and this federal agency develops and promotes measurements, standards, and technology to improve system productivity. NIST has a robust Cybersecurity Framework and is one of the most popular topics in the MedTech industry. It is the encapsulation and security of user data and their electronic documents against cyber-attacks. Being in the medical device industry, I wanted to know what cybersecurity framework or tools I should utilize to protect patients and their data. That is when I found the NIST-based Cybersecurity framework.

NIST Cybersecurity frameworks focus on five major activities. They include Identify, Protect, Detect, Respond, and Recover. Let us begin with the ‘Identify’ which means to identify the threats present in the system. In this case, software, quality, and cybersecurity engineers work together to identify all potential threats or vulnerabilities present in the system. For example, in a webpage, it might be the case the session might store critical tokens. Identification of all such issues should be completed in this phase.1

The next stages are protection & detection. Protection is the mechanisms that are added to protect the systems against vulnerabilities. For example, system access is protected by simple email and password. Also, an additional layer of security may be added using user-specific pin codes. Detection is the process where software and cybersecurity engineers have added a codebase that specifically notifies authorized users that there has been a cyber-attack. These can be achieved by adding monitoring algorithms where the system is under continuous data monitoring and can identify any specific anomalies from the user-generated data. A major mechanism that should be implemented in Detection algorithms is notifications. For any specific issues, Detection would only be good if the system notifies the users of data leaks or breaches.2

The next two steps are Respond and Recover. Respond are the actual cybersecurity mechanisms implemented by Cybersecurity engineers. For example, an SQL-injection attack can be started using simple search fields from the web pages. There should be an additional layer of security behind this search field that filters the data to inspect specific data elements which are commonly found in an SQL-injection string. Coming to the Recover section, these are the methodologies that help recover user data after there has been an attack on the system. These may include techniques such as replicating data in multiple servers for data-backups. I would say Protect, Respond, and Recover are the three major components that are responsible for protecting systems against cyberattacks and retrieval of data if there have been cases of data breach.

Indeed, manufacturers should always thoroughly verify plus validate their software tools that label the system as safe, efficient, and qualified. EMMA International has expertise in analyzing software applications and conducting a detailed risk assessment to identify any vulnerabilities present in the system. We specialize in software validation, including verifying an FDA-accepted Cybersecurity framework is implemented in your system. Do you have a software tool that needs to be FDA-compliant? Our seasoned quality and software experts can get your software tool completely validated and guide you through the FDA regulatory process to ensure your Software As/In a Medical Device product is FDA compliant. Contact us at 248-987-4497 or email us at info@emmainternational.com for more information.


1Cynthia J. Larose (October 2014). A Different Kind of “Virus”: FDA Follows NIST Framework in Cybersecurity Guidance for Medical Devices. Retrieved on March 02, 2021, from https://www.mintz.com/insights-center/viewpoints/2826/2014-10-different-kind-virus-fda-follows-nist-framework.

2NIST (2021). Cybersecurity Framework. Retrieved on March 02, 2021, from https://www.nist.gov/cyberframework.

Govind Yatnalkar

Govind Yatnalkar

More Resources

Change Management And Control

Change Management And Control

One of the biggest and most important aspects of quality management is a system to monitor changes and how they impact the product. Change management is an approach for changing processes or products in a way which adheres to regulatory standards by ensuring stability and consistency throughout processes. It applies across all changes within a process and throughout an entire products life cycle.
Aseptic Technique and Gowning

Aseptic Technique and Gowning

One of the most common techniques to prevent contamination of products and reduce quality impacts in the pharmaceutical industry is called aseptic gowning. Humans are the biggest sources of microbial contamination in cleanroom environments and therefore proper gowning procedures are essential to ensuring product quality. Proper training, education, hygiene, qualification, and authorization must be put in place and be required for entry to all clean room environments...
Importance of Pharmaceutical GMP

Importance of Pharmaceutical GMP

Having high quality standards is vital to any organization but is even more essential in the pharmaceutical industry. Practices that are governed by these standards are commonly called Good Manufacturing Practices (GMP) and ensure consistent and controlled production of products. These practices govern all aspects and procedures within production and provide documented proof that procedures are consistently followed during the manufacturing processes every time products are made. They are designed to minimize risks throughout the manufacturing process that are not able to be eliminated in final product testing so that pharmaceuticals are safe for use...

Ready to learn more about working with us?

Pin It on Pinterest

Share This