todo
Action: Define cybersecurity roles & responsibilities
Description
Formally define who is responsible for what in cybersecurity: overall security risk management, link with safety, and penetration testing. Reflect it in QMS documents and communicate it to the team.
Checklist
Item: Identify key cybersecurity roles
Description
Identify Tech Manager, Quality Manager/PRRC and security expert (internal or external) and map their responsibilities for cybersecurity.
Tips for complete it in the quickest way
Reuse your existing org chart and role descriptions and just add explicit “cybersecurity” responsibilities instead of inventing new roles from scratch.
Item: Update QMS documentation
Description
Update job descriptions, procedures and/or RASIC so responsibilities for cybersecurity are explicitly documented.
Tips for complete it in the quickest way
Edit existing documents with tracked changes and keep cybersecurity additions as short bullet points.
Item: Communicate responsibilities to the team
Description
Explain to the team who owns what in cybersecurity and when they are involved.
Tips for complete it in the quickest way
Use a 15-minute review in an already planned meeting and one slide summarizing roles.
Action: Establish device context & threat model
Description
Document system architecture, data flows, users, SOUP and interfaces, and build a basic threat model describing assets, threats and security barriers.
Checklist
[] Context of risk assessment [] Architecture diagram [] Data flow diagram [] Threat model diagram [] Assets
Item: Identify threats and security barriers
Description
List relevant threat types (unauthorized access, tampering, data theft, service disruption, etc.) and define which controls act as security barriers.
Tips for complete it in the quickest way
Use a standard threat checklist (STRIDE-like) and map threats to existing controls first, then add only the missing ones.
Action: Implement Cyber Security Risk Matrix & ranking system
Description
Create and maintain the Cyber Security Risk Matrix (R-TF-030-003) including assets, threats, vulnerabilities, consequences, controls and CVSS-based evaluation and acceptance class.
Checklist
Item: Define matrix structure and fields
Description
Create the template with all mandatory columns: asset, threat, vulnerability, control, consequence, likelihood, CVSS, acceptance, treatment, etc.
Tips for complete it in the quickest way
Use a spreadsheet as the source of truth and lock the structure; copy field names directly from the cybersecurity plan.
Item: Implement CVSS calculation
Description
Configure formulas or a helper to calculate CVSS scores consistently.
Tips for complete it in the quickest way
Use an online CVSS calculator to define vectors and have the spreadsheet only store the final score and vector string.
Item: Seed the matrix with initial scenarios
Description
Populate the matrix with the main incident scenarios derived from the threat model.
Tips for complete it in the quickest way
Start with the top 10–15 scenarios with highest impact and let AI draft descriptions from short prompts.
Action: Implement risk treatment & safety-linked acceptance process
Description
Define and apply the risk treatment process for cybersecurity risks (reduce, eliminate, transfer, accept), respecting the hierarchy of controls and prohibiting transfer/acceptance for risks impacting patient safety.
Checklist
Item: Define risk treatment decision rules
Description
Write down the decision flow: inherent security first, then protective measures, then information for safety, and limits for transfer/acceptance.
Tips for complete it in the quickest way
Summarize the rules in a one-page flowchart instead of a long narrative, and reference the standards from the plan.
Item: Add treatment fields to the Risk Matrix
Description
Include fields for chosen treatment option, residual risk, justification and safety impact.
Tips for complete it in the quickest way
Extend the existing matrix instead of creating a new document; keep choices as dropdown values.
Item: Integrate with release decision
Description
Ensure that non-acceptable cybersecurity risks block release until treated and re-evaluated.
Tips for complete it in the quickest way
Add a short checkpoint in your release checklist: “All cybersecurity risks acceptable?” linked to the latest matrix.
Action: Link cybersecurity risks to safety risks (Safety Risk Conversion Process)
Description
When a cybersecurity risk can affect patient safety, create or update a corresponding safety risk (ISO 14971) and link the two with IDs.
Checklist
Item: Define safety impact assessment rule
Description
Specify when a cybersecurity risk is considered safety-relevant and requires a safety risk entry.
Tips for complete it in the quickest way
Use a simple yes/no question: “Can this vulnerability lead to wrong diagnosis/treatment or unavailability of needed service?”
Item: Add cross-reference fields
Description
Add “Safety impact (Y/N)” and “Safety Risk ID” fields in the Cyber Security Risk Matrix.
Tips for complete it in the quickest way
Reuse your existing safety risk IDs and avoid re-inventing numbering schemes.
Item: Update safety risk file template
Description
Ensure safety risk records can reference their originating cybersecurity risk.
Tips for complete it in the quickest way
Add a single optional field “Originating cybersecurity risk ID” to your existing safety risk form.
Action: Ensure verification & traceability of security requirements
Description
Make cybersecurity requirements traceable to specific test cases and ensure they are covered by unit, integration and/or verification tests.
Checklist
Item: Tag security requirements
Description
Identify and label all cybersecurity-related requirements in your requirements repository.
Tips for complete it in the quickest way
Add a “Security = Yes/No” flag and an ID prefix like “SEC-xxx” rather than moving them to a separate document.
Item: Link requirements to test cases
Description
For each cybersecurity requirement, assign at least one test case that verifies it.
Tips for complete it in the quickest way
Export requirements and tests, then use AI to suggest matches; human just validates and fixes.
Item: Generate a traceability matrix
Description
Create a simple matrix showing Req ↔ Test mapping and coverage status.
Tips for complete it in the quickest way
Automate generation from your test management tool / repo metadata when possible; if not, keep a small spreadsheet auto-filled from CSVs.
Action: Implement security testing & penetration testing program
Description
Plan and execute recurring security testing, including functional security tests and penetration tests by a security expert, and document results in the Security Risk Testing Report (R-TF-030-005).
Checklist
Item: Define scope and depth of security tests
Description
Select the key areas: authentication, authorization, input validation, logging, error handling, crypto, deployment configuration, etc.
Tips for complete it in the quickest way
Start with a minimal list tied directly to your architecture instead of copying an enormous generic checklist.
Item: Integrate security tests into V&V
Description
Include security tests in the verification plan and test runs before release.
Tips for complete it in the quickest way
Mark security tests as a separate group in your existing test suite so they run as part of the same pipeline.
Item: Plan and perform penetration tests
Description
Engage a security expert to perform penetration testing and prioritize findings in the Risk Matrix.
Tips for complete it in the quickest way
Start with a narrow scope pentest on critical APIs/endpoints and reuse the same partner and scenario list in subsequent releases.
Item: Create and maintain Security Risk Testing Report
Description
Document the scope, methods, findings and conclusions of security testing.
Tips for complete it in the quickest way
Prepare a short report template now and fill it after each campaign by pasting from pentest reports and test results.
Action: Maintain Cyber security File & annual review of post-market data
Description
Maintain a structured Cyber security File and perform at least an annual review of production/post-production information to update threat model and risks.
Checklist
Item: Define Cyber security File structure
Description
Create a clear folder and index of all cybersecurity documents (plan, risk matrix, test reports, incidents, etc.).
Tips for complete it in the quickest way
Use a single root folder in your DMS with a README/index listing files and their purpose.
Item: Establish annual security review process
Description
Schedule an annual review of cybersecurity risks, threat model and controls using post-market data.
Tips for complete it in the quickest way
Add a recurring calendar event with a short checklist: review incidents, known vulnerabilities, changes and pending actions.
Item: Record review outcomes
Description
Document conclusions and required updates to risk matrix, threat model and procedures.
Tips for complete it in the quickest way
Capture decisions in a short meeting minutes template and link it from the Cyber security File index.
Action: Implement vulnerability intake & triage (customers & researchers)
Description
Set up channels and process to receive, document, classify and triage vulnerabilities reported by customers and security researchers.
Checklist
Item: Configure intake channels
Description
Route customer security incidents via GP-014 and security researcher reports via dedicated email (e.g. support@legit.health).
Tips for complete it in the quickest way
Update existing support templates to include a “security issue” option instead of building a separate system.
Item: Create Jira workflow for security issues
Description
Configure a specific issue type/labels and workflow steps for security vulnerabilities.
Tips for complete it in the quickest way
Clone your existing incident workflow and add just the extra fields you truly need (severity, affected component, CVSS link).
Item: Define triage guidelines
Description
Provide a short guide for the CTO team to verify, classify and prioritize vulnerabilities.
Tips for complete it in the quickest way
Base the guide on 1–2 pages with examples and reuse the CVSS-based severity from the risk matrix.
Action: Implement threat intelligence & vulnerability monitoring
Description
Monitor external sources (CISA KEV, NVD, ISAOs) at defined intervals to detect vulnerabilities affecting your stack and update risks / trigger IRP when relevant.
Checklist
Item: Define monitoring frequency and scope
Description
Set periodicity (e.g. monthly) and list of sources and components to monitor.
Tips for complete it in the quickest way
Start with a single owner and one simple checklist instead of distributing the task among several people.
Item: Implement simple monitoring routine
Description
Run periodic checks on CISA KEV and NVD for technologies used by the device.
Tips for complete it in the quickest way
Use saved searches or RSS/alerts and review them in batch once per period.
Item: Record and process findings
Description
Log relevant vulnerabilities, evaluate impact and update the Cyber Security Risk Matrix or trigger the Incident Response Plan.
Tips for complete it in the quickest way
Use a simple log (spreadsheet or Jira issue type) and link entries directly to risk IDs instead of duplicating descriptions.
Action: Implement coordinated vulnerability disclosure & external communication
Description
Operate a coordinated vulnerability disclosure (CVD) process including acknowledgement, analysis and communication to the submitter, customers and authorities within defined timelines.
Checklist
Item: Publish CVD policy
Description
Create and publish a clear CVD statement on your website with contact details and expectations.
Tips for complete it in the quickest way
Adapt standard CVD templates and align wording minimally with your plan instead of drafting from zero.
Item: Define internal CVD procedure
Description
Describe the 4 steps: receive, identify, communicate to submitter, and notify customers/ISAO/FDA for uncontrolled risks.
Tips for complete it in the quickest way
Keep the procedure short and heavily reference existing incident and change control procedures.
Item: Prepare communication templates
Description
Create email templates for acknowledgements, status updates and customer/authority notifications.
Tips for complete it in the quickest way
Write a generic template and parameterize product, vulnerability ID and timeline so you only adjust specifics when used.
Action: Implement security patch management, change control & release/versioning
Description
Apply defined patch cycles (regular and out-of-cycle) for security fixes, integrate them with change control and development planning, and manage versions using SemVer and API versioning.
Checklist
Item: Define security patch timelines
Description
Operationalize Regular Patch Cycle (e.g. every 6 months) and Out-of-Cycle Patch Cycle (7–60 days for uncontrolled risks).
Tips for complete it in the quickest way
Summarize timelines in a single table and embed it into your change control SOP instead of writing a standalone policy.
Item: Integrate patching with change control and dev plan
Description
Ensure GP-023 and T-012-023 reflect how security changes are analyzed, implemented, tested and released.
Tips for complete it in the quickest way
Add a “security change” path to existing flowcharts instead of designing a new process.
Item: Configure SemVer and API versioning behavior
Description
Apply semantic versioning and define when to bump patch/minor/major, and how API changes are handled for clients.
Tips for complete it in the quickest way
Document a simple rule table (e.g. security fix → patch bump; backward-compatible API change → minor; breaking API → major) and enforce it through release checklist and CI tags.
Item: Update release and commissioning checklist
Description
Include checks that required security patches are included, tested and correctly versioned before commissioning.
Tips for complete it in the quickest way
Modify your existing release checklist rather than adding a new “security release” form.