OP.EXT.3 Protección de la cadena de suministro
☑️Aplicación de la medida
De acuerdo al ANEXO II, 2 Selección de medidas de seguridad, la medida de seguridad OP.EXT.3 Protección de la cadena de suministro sí aplica dada la categoría de seguridad del sistema.
Documentos de referencia
- ISO/IEC 27000:
- 27002:2013:
- 15.1.3 - Information and communication technology supply chain
- 27002:2013:
- NIST SP 800-53 rev4:
- [SA-12] Supply Chain Protection
- [SR-3] Supply Chain Controls and Processes
- [SR-5] Acquisition Strategies, Tools, and Methods
- Otras referencias:
- NIS2 Directive Article 21 - Supply chain security
- FDA Cybersecurity in Medical Devices: Supply Chain Considerations
- NIST SP 800-161 - Supply Chain Risk Management Practices
Guía de implantación
- Se establecerán medidas de protección de la cadena de suministro que reduzcan los riesgos asociados con productos y servicios proporcionados por terceros.
Incluirá al menos:
- Identificación y evaluación de riesgos de la cadena de suministro
- Medidas de seguridad para la cadena de suministro
- Procedimientos de gestión de incidentes relacionados con la cadena de suministro
- Procedimientos de supervisión y auditoría de la cadena de suministro
Implementación en Legit Health Plus
1. Marco de protección de cadena de suministro médica
La protección de la cadena de suministro para Legit Health Plus como dispositivo médico Clase IIa requiere controles específicos para garantizar integridad, autenticidad y seguridad de todos los componentes críticos.
1.1 Mapeo de cadena de suministro crítica
Medical_Supply_Chain_Map:
Hardware_Components:
Cloud_Infrastructure:
- Provider: "AWS"
- Components: ["EC2", "RDS", "S3", "CloudFront"]
- Risk_Level: "Critical"
- Geographic_Location: "EU (Ireland, Frankfurt)"
- Backup_Providers: ["Microsoft Azure", "Google Cloud"]
Medical_Devices:
- Provider: "Hospital-grade tablets/workstations"
- Components: ["Clinical display systems", "Input devices"]
- Risk_Level: "Medium"
- Certification_Required: "Medical device compatibility"
Software_Components:
AI_Frameworks:
- Provider: "TensorFlow (Google)"
- Components: ["ML runtime", "Model serving"]
- Risk_Level: "Critical"
- Security_Considerations: ["Model integrity", "Supply chain attacks"]
Medical_Libraries:
- Provider: "DICOM libraries", "HL7 FHIR implementations"
- Components: ["Image processing", "Medical data exchange"]
- Risk_Level: "High"
- Validation_Required: "Clinical accuracy, regulatory compliance"
Service_Dependencies:
Critical_Services:
- Provider: "Notified Body (BSI)"
- Service: "CE Marking and MDR compliance"
- Risk_Level: "Critical"
- Impact: "Regulatory authorization to market"
Security_Services:
- Provider: "CrowdStrike"
- Service: "Endpoint protection and threat intelligence"
- Risk_Level: "High"
- Impact: "Cybersecurity posture"
2. Evaluación de riesgos de cadena de suministro
2.1 Metodología de evaluación de riesgos
class MedicalSupplyChainRiskAssessment:
def __init__(self):
self.risk_categories = [
'integrity_compromise',
'availability_disruption',
'regulatory_non_compliance',
'cybersecurity_breach',
'patient_safety_impact'
]
self.supply_chain_tiers = ['tier_1', 'tier_2', 'tier_3']
def assess_supplier_risk(self, supplier_data):
"""Evalúa riesgos específicos de cadena de suministro médica"""
risk_assessment = {}
# Análisis por categoría de riesgo
for category in self.risk_categories:
risk_score = self.calculate_category_risk(supplier_data, category)
risk_assessment[category] = {
'score': risk_score,
'level': self.categorize_risk_level(risk_score),
'mitigation_required': risk_score > 6.0
}
# Análisis de dependencias críticas
critical_dependencies = self.identify_critical_dependencies(supplier_data)
# Evaluación de concentración de riesgo
concentration_risk = self.assess_supplier_concentration(supplier_data)
overall_assessment = {
'supplier_id': supplier_data['id'],
'overall_risk_score': self.calculate_overall_risk(risk_assessment),
'category_risks': risk_assessment,
'critical_dependencies': critical_dependencies,
'concentration_risk': concentration_risk,
'recommended_controls': self.recommend_risk_controls(risk_assessment),
'monitoring_requirements': self.define_monitoring_requirements(risk_assessment)
}
return overall_assessment
def calculate_category_risk(self, supplier_data, category):
"""Calcula riesgo por categoría específica"""
if category == 'integrity_compromise':
return self.assess_integrity_risk(supplier_data)
elif category == 'patient_safety_impact':
return self.assess_patient_safety_risk(supplier_data)
elif category == 'regulatory_non_compliance':
return self.assess_regulatory_compliance_risk(supplier_data)
# ... otros cálculos por categoría
def assess_patient_safety_risk(self, supplier_data):
"""Evaluación específica de riesgo para seguridad del paciente"""
safety_factors = {
'affects_diagnosis_accuracy': supplier_data.get('affects_ai_model', False),
'handles_patient_data': supplier_data.get('processes_phi', False),
'critical_infrastructure': supplier_data.get('service_tier') == 'critical',
'no_medical_backup': not supplier_data.get('has_medical_backup', True),
'regulatory_history': supplier_data.get('regulatory_violations', 0) > 0
}
# Ponderación específica para seguridad del paciente
weights = {
'affects_diagnosis_accuracy': 4.0, # Mayor peso para precisión diagnóstica
'handles_patient_data': 3.0,
'critical_infrastructure': 2.5,
'no_medical_backup': 2.0,
'regulatory_history': 3.5
}
risk_score = sum(
weights[factor] for factor, present in safety_factors.items()
if present
)
return min(risk_score, 10.0) # Escala 0-10
3. Controles de seguridad por nivel de tier
3.1 Tier 1 - Proveedores críticos directos
Tier_1_Critical_Controls:
Pre_Selection:
- "Due diligence exhaustivo (>90 días)"
- "Auditoría en sitio obligatoria"
- "Verificación de certificaciones médicas"
- "Evaluación de equipo de ciberseguridad"
- "Referencias verificables en sector salud"
Contractual_Requirements:
- "Right-to-audit clauses"
- "24x7 support commitment"
- "Incident notification < 4 hours"
- "Insurance coverage >= €5M"
- "Regulatory compliance warranties"
- "Source code escrow (if applicable)"
Ongoing_Monitoring:
- "Monthly security assessments"
- "Quarterly business reviews"
- "Annual penetration testing"
- "Real-time performance monitoring"
- "Compliance attestation reviews"
Incident_Response:
- "Joint incident response procedures"
- "Dedicated escalation contacts"
- "Forensic cooperation requirements"
- "Communication protocols defined"
3.2 Tier 2 - Subcontratistas de proveedores
Tier_2_Subcontractor_Controls:
Visibility_Requirements:
- "Complete subcontractor disclosure"
- "Risk assessment of key subcontractors"
- "Approval rights for critical subcontractors"
- "Change notification requirements"
Security_Standards:
- "Flow-down of security requirements"
- "Minimum security baseline compliance"
- "Regular security questionnaires"
- "Audit rights extension to subcontractors"
Medical_Device_Considerations:
- "Understanding of medical device requirements"
- "GDPR compliance for health data"
- "Business continuity requirements"
- "Quality system integration"
4. Gestión de componentes de software críticos
4.1 Software Bill of Materials (SBOM) médico
class MedicalSBOMManager:
def __init__(self):
self.sbom_database = MedicalSBOMDatabase()
self.vulnerability_scanner = VulnerabilityScanner()
self.compliance_checker = MedicalComplianceChecker()
def generate_medical_sbom(self, component_type='full_system'):
"""Genera SBOM específico para dispositivo médico"""
sbom = {
'device_info': {
'name': 'Legit Health Plus',
'version': '1.1.0.0',
'class': 'IIa',
'udi_di': 'LH-DER-AI-2024-001'
},
'components': [],
'medical_critical_flags': [],
'regulatory_implications': [],
'security_scan_results': []
}
# Componentes de software críticos
critical_components = self.identify_critical_medical_components()
for component in critical_components:
component_info = {
'name': component['name'],
'version': component['version'],
'supplier': component['supplier'],
'license': component['license'],
'medical_classification': self.classify_medical_criticality(component),
'security_scan': self.vulnerability_scanner.scan_component(component),
'regulatory_impact': self.assess_regulatory_impact(component),
'integrity_verification': self.verify_component_integrity(component)
}
sbom['components'].append(component_info)
# Marcar componentes críticos para diagnóstico
if component_info['medical_classification'] == 'diagnostic_critical':
sbom['medical_critical_flags'].append({
'component': component['name'],
'reason': 'Directly affects diagnostic accuracy',
'controls_required': ['signature_verification', 'integrity_monitoring']
})
# Análisis de vulnerabilidades específico médico
sbom['security_scan_results'] = self.perform_medical_security_analysis(sbom['components'])
return sbom
def classify_medical_criticality(self, component):
"""Clasifica criticidad médica del componente"""
if 'tensorflow' in component['name'].lower() or 'pytorch' in component['name'].lower():
return 'diagnostic_critical' # Afecta directamente al diagnóstico
elif 'dicom' in component['name'].lower() or 'hl7' in component['name'].lower():
return 'interoperability_critical' # Crítico para intercambio de datos médicos
elif 'crypto' in component['name'].lower() or 'security' in component['name'].lower():
return 'security_critical' # Crítico para seguridad de datos
else:
return 'standard'
5. Monitorización continua de cadena de suministro
5.1 Sistema de alertas tempranas
class SupplyChainThreatMonitoring:
def __init__(self):
self.threat_intel_sources = [
'cisa_advisories',
'fda_device_alerts',
'medical_device_certs',
'supplier_security_feeds'
]
self.monitoring_rules = self.load_monitoring_rules()
def monitor_supply_chain_threats(self):
"""Monitorización continua de amenazas en la cadena de suministro"""
threats_detected = []
for source in self.threat_intel_sources:
new_threats = self.collect_threats_from_source(source)
for threat in new_threats:
# Evaluar si afecta a nuestra cadena de suministro
impact_assessment = self.assess_threat_impact(threat)
if impact_assessment['affects_supply_chain']:
threat_alert = {
'threat_id': threat['id'],
'source': source,
'severity': impact_assessment['severity'],
'affected_suppliers': impact_assessment['affected_suppliers'],
'medical_device_impact': impact_assessment['medical_impact'],
'recommended_actions': self.generate_response_actions(threat, impact_assessment)
}
threats_detected.append(threat_alert)
# Alertar inmediatamente si es crítico
if impact_assessment['severity'] == 'CRITICAL':
self.trigger_emergency_response(threat_alert)
return threats_detected
def assess_threat_impact(self, threat):
"""Evalúa impacto de amenaza en cadena de suministro médica"""
impact = {
'affects_supply_chain': False,
'severity': 'LOW',
'affected_suppliers': [],
'medical_impact': 'none'
}
# Verificar si afecta a nuestros proveedores
for supplier in self.get_active_suppliers():
if self.threat_affects_supplier(threat, supplier):
impact['affects_supply_chain'] = True
impact['affected_suppliers'].append(supplier)
# Evaluar impacto médico
if supplier['criticality'] == 'diagnostic_critical':
impact['medical_impact'] = 'high'
impact['severity'] = 'CRITICAL'
elif supplier['criticality'] == 'patient_data':
impact['medical_impact'] = 'medium'
impact['severity'] = 'HIGH'
return impact
6. Plan de respuesta a incidentes de cadena de suministro
6.1 Procedimientos de respuesta por tipo de incidente
Supply_Chain_Incident_Response:
Supplier_Compromise:
Immediate_Actions:
- "Isolate affected supplier connections"
- "Assess data exposure risk"
- "Activate backup suppliers if available"
- "Notify affected customers"
Investigation:
- "Coordinate with supplier incident response"
- "Forensic analysis of our environment"
- "Determine patient data impact"
- "Regulatory notification assessment"
Recovery:
- "Validate supplier remediation"
- "Enhanced monitoring period"
- "Contract renegotiation if needed"
- "Lessons learned integration"
Component_Vulnerability:
Immediate_Actions:
- "Assess vulnerability exploitability"
- "Determine medical device impact"
- "Emergency patching if available"
- "Temporary workarounds implementation"
Medical_Safety_Assessment:
- "Clinical impact evaluation"
- "Patient safety risk assessment"
- "Regulatory reporting requirements"
- "Healthcare provider notifications"
Supplier_Business_Failure:
Immediate_Actions:
- "Activate continuity procedures"
- "Secure access to critical assets"
- "Data and IP recovery"
- "Alternative supplier activation"
Long_Term_Planning:
- "Service transition planning"
- "Contract novation if applicable"
- "Regulatory compliance maintenance"
- "Customer communication strategy"
7. Compliance y auditoría de cadena de suministro
7.1 Programa de auditorías
Supply_Chain_Audit_Program:
Annual_Comprehensive_Audits:
Scope: "All Tier 1 critical suppliers"
Focus_Areas:
- "Security controls implementation"
- "Medical device regulation compliance"
- "Business continuity capabilities"
- "Incident response preparedness"
- "Subcontractor management"
Audit_Team:
- "Internal: CTO, ISO, Quality Manager"
- "External: Specialized medical device auditor"
- "Subject matter experts as needed"
Quarterly_Assessments:
Scope: "High-risk Tier 2 suppliers"
Method: "Questionnaire + documentation review"
Focus: "Compliance maintenance and change management"
Continuous_Monitoring:
Automated_Checks:
- "Certificate expiration monitoring"
- "Financial health indicators"
- "Security posture metrics"
- "Service level compliance"
8. Gestión de cambios en cadena de suministro
8.1 Control de cambios de proveedores
class SupplyChainChangeControl:
def __init__(self):
self.change_approval_matrix = self.load_approval_matrix()
self.risk_assessor = SupplyChainRiskAssessor()
self.regulatory_reviewer = RegulatoryComplianceReviewer()
def process_supplier_change(self, change_request):
"""Procesa cambio propuesto por proveedor"""
change_analysis = {
'change_id': self.generate_change_id(),
'supplier': change_request['supplier'],
'change_description': change_request['description'],
'risk_assessment': self.risk_assessor.assess_change_risk(change_request),
'regulatory_impact': self.regulatory_reviewer.assess_regulatory_impact(change_request),
'approval_required': [],
'conditions': [],
'monitoring_requirements': []
}
# Determinar aprobaciones requeridas
if change_analysis['risk_assessment']['level'] == 'HIGH':
change_analysis['approval_required'].extend(['CTO', 'CMO', 'CEO'])
elif change_analysis['risk_assessment']['level'] == 'MEDIUM':
change_analysis['approval_required'].extend(['CTO', 'CMO'])
# Condiciones especiales para cambios médicos
if change_analysis['regulatory_impact']['affects_device_compliance']:
change_analysis['conditions'].append('Regulatory pre-approval required')
change_analysis['conditions'].append('Validation testing mandatory')
if change_analysis['risk_assessment']['affects_patient_data']:
change_analysis['conditions'].append('Privacy impact assessment')
change_analysis['conditions'].append('Enhanced monitoring for 90 days')
return change_analysis
9. Métricas de rendimiento de cadena de suministro
9.1 KPIs específicos médicos
Medical_Supply_Chain_KPIs:
Security_Metrics:
- "% suppliers with current security certifications: 100%"
- "Mean time to detect supply chain threats: < 24 hours"
- "Supply chain incident response time: < 4 hours"
- "% critical suppliers with validated incident response: 100%"
Compliance_Metrics:
- "% suppliers compliant with medical device regulations: 100%"
- "Regulatory audit findings related to supply chain: 0"
- "% suppliers with valid regulatory certifications: 100%"
- "Time to regulatory notification compliance: < 24 hours"
Business_Continuity:
- "% critical services with backup suppliers: >= 80%"
- "Supply chain risk concentration index: < 0.3"
- "Average supplier switching time: < 30 days"
- "% suppliers with validated continuity plans: 100%"
Quality_Metrics:
- "Supplier-related quality issues: trending down"
- "% suppliers meeting SLA requirements: >= 98%"
- "Customer satisfaction with supplier-delivered services: >= 4.5/5"
10. Qualificación de proveedores de dispositivos médicos
10.1 Procedimiento de cualificación de proveedores médicos
Medical_Vendor_Qualification_Process:
Initial_Assessment:
Documentation_Required:
- "ISO 13485 certification (current)"
- "Medical device manufacturing licenses"
- "FDA/CE marking compliance evidence"
- "Cybersecurity framework implementation"
- "Risk management system documentation (ISO 14971)"
- "Clinical evaluation procedures"
Technical_Evaluation:
- "Security architecture review"
- "Data protection implementation audit"
- "Incident response capability assessment"
- "Business continuity validation"
- "Supply chain security measures"
Financial_Assessment:
- "Financial stability analysis (3 years)"
- "Insurance coverage verification (≥€10M)"
- "Audit of financial controls"
- "Credit rating verification"
Due_Diligence_Requirements:
Minimum_Qualification_Period: "120 days"
On_Site_Audit_Mandatory: "Yes (for Tier 1)"
Reference_Checks: "Minimum 3 healthcare customers"
Security_Clearance: "Enhanced due diligence for critical suppliers"
Approval_Authority:
Tier_1_Critical: "CEO + CMO + CTO (unanimous)"
Tier_2_Important: "CMO + CTO (majority)"
Tier_3_Standard: "CTO + Procurement Manager"
10.2 Cuestionario de seguridad para proveedores médicos
class MedicalSupplierSecurityQuestionnaire:
def __init__(self):
self.questionnaire_sections = {
'regulatory_compliance': self.get_regulatory_questions(),
'cybersecurity': self.get_cybersecurity_questions(),
'clinical_safety': self.get_clinical_safety_questions(),
'data_protection': self.get_data_protection_questions(),
'business_continuity': self.get_business_continuity_questions()
}
def get_regulatory_questions(self):
return [
{
'id': 'REG-001',
'question': '¿Mantiene certificación ISO 13485 vigente?',
'type': 'yes_no',
'critical': True,
'evidence_required': 'Certificate copy and scope'
},
{
'id': 'REG-002',
'question': '¿Ha sido sujeto a advertencias regulatorias en los últimos 3 años?',
'type': 'yes_no',
'critical': True,
'evidence_required': 'FDA/EMA correspondence if applicable'
},
{
'id': 'REG-003',
'question': '¿Implementa sistema de gestión de riesgos según ISO 14971?',
'type': 'yes_no',
'critical': True,
'evidence_required': 'Risk management procedures and records'
},
{
'id': 'REG-004',
'question': '¿Mantiene sistema de vigilancia post-comercialización?',
'type': 'yes_no',
'critical': True,
'evidence_required': 'PMS procedures and periodic safety reports'
}
]
def get_cybersecurity_questions(self):
return [
{
'id': 'CYB-001',
'question': '¿Implementa framework de ciberseguridad (NIST, ISO 27001)?',
'type': 'multiple_choice',
'options': ['NIST CSF', 'ISO 27001', 'Custom', 'None'],
'critical': True,
'evidence_required': 'Framework documentation and certification'
},
{
'id': 'CYB-002',
'question': '¿Realiza pruebas de penetración regulares?',
'type': 'yes_no',
'critical': True,
'evidence_required': 'Latest penetration test report (redacted)'
},
{
'id': 'CYB-003',
'question': '¿Mantiene programa de gestión de vulnerabilidades?',
'type': 'yes_no',
'critical': True,
'evidence_required': 'Vulnerability management procedures'
},
{
'id': 'CYB-004',
'question': 'Tiempo máximo de respuesta a incidentes críticos de seguridad',
'type': 'numeric',
'unit': 'hours',
'acceptable_range': [0, 4],
'critical': True
}
]
def get_clinical_safety_questions(self):
return [
{
'id': 'CLI-001',
'question': '¿Ha experimentado recalls de dispositivos médicos en los últimos 5 años?',
'type': 'yes_no',
'critical': True,
'evidence_required': 'Recall details and corrective actions if applicable'
},
{
'id': 'CLI-002',
'question': '¿Mantiene personal dedicado a seguridad del paciente?',
'type': 'yes_no',
'critical': True,
'evidence_required': 'Organizational chart and role definitions'
},
{
'id': 'CLI-003',
'question': '¿Implementa validación clínica para cambios de software?',
'type': 'yes_no',
'critical': True,
'evidence_required': 'Clinical validation procedures'
}
]
def calculate_supplier_score(self, responses):
"""Calcula puntuación de riesgo del proveedor"""
total_score = 0
critical_failures = 0
for section, questions in self.questionnaire_sections.items():
section_score = 0
for question in questions:
response = responses.get(question['id'])
if question.get('critical', False):
if self.is_critical_failure(question, response):
critical_failures += 1
section_score += self.score_response(question, response)
total_score += section_score
qualification_result = {
'total_score': total_score,
'critical_failures': critical_failures,
'qualification_status': 'DISQUALIFIED' if critical_failures > 0 else self.determine_status(total_score),
'required_actions': self.get_required_actions(responses),
'monitoring_level': self.determine_monitoring_level(total_score, critical_failures)
}
return qualification_result
11. Monitorización continua mejorada
11.1 Sistema de alerta temprana para cadena de suministro médica
class MedicalSupplyChainEarlyWarning:
def __init__(self):
self.monitoring_sources = {
'fda_alerts': 'https://www.fda.gov/safety/medwatch-fda-safety-information-and-adverse-event-reporting-program',
'ema_alerts': 'https://www.ema.europa.eu/en/human-regulatory/post-marketing/pharmacovigilance',
'cisa_advisories': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog',
'nist_nvd': 'https://nvd.nist.gov/vuln/data-feeds',
'medical_device_recalls': 'https://www.fda.gov/medical-devices/medical-device-recalls',
'supplier_financial_monitoring': 'Credit_Rating_Agencies'
}
self.alert_thresholds = self.load_alert_thresholds()
def monitor_supplier_alerts(self):
"""Monitorización continua de alertas de proveedores"""
alerts = []
for supplier in self.get_active_suppliers():
# Monitorización regulatoria
regulatory_alerts = self.check_regulatory_alerts(supplier)
# Monitorización de ciberseguridad
security_alerts = self.check_security_alerts(supplier)
# Monitorización financiera
financial_alerts = self.check_financial_stability(supplier)
# Monitorización de calidad
quality_alerts = self.check_quality_alerts(supplier)
all_alerts = regulatory_alerts + security_alerts + financial_alerts + quality_alerts
for alert in all_alerts:
if alert['severity'] >= self.alert_thresholds[alert['type']]:
enriched_alert = self.enrich_alert(alert, supplier)
alerts.append(enriched_alert)
# Respuesta automática para alertas críticas
if alert['severity'] == 'CRITICAL':
self.trigger_critical_response(enriched_alert)
return alerts
def check_regulatory_alerts(self, supplier):
"""Verifica alertas regulatorias específicas del proveedor"""
alerts = []
# Verificar recalls de FDA
fda_recalls = self.query_fda_recalls(supplier['name'])
for recall in fda_recalls:
if recall['date'] > supplier['last_assessment_date']:
alerts.append({
'type': 'regulatory_recall',
'severity': 'CRITICAL',
'source': 'FDA',
'description': recall['reason'],
'affected_products': recall['products'],
'recommended_action': 'Immediate supplier assessment required'
})
# Verificar advertencias EMA
ema_warnings = self.query_ema_warnings(supplier['name'])
for warning in ema_warnings:
alerts.append({
'type': 'regulatory_warning',
'severity': 'HIGH',
'source': 'EMA',
'description': warning['details'],
'recommended_action': 'Review supplier compliance status'
})
return alerts
12. Gestión de crisis de cadena de suministro
12.1 Playbook de respuesta a crisis
Supply_Chain_Crisis_Playbook:
Supplier_Insolvency:
Immediate_Actions_0_4h:
- "Secure access to critical IP and source code"
- "Freeze all payments pending legal review"
- "Activate backup supplier arrangements"
- "Notify legal team and insurance carrier"
- "Assess immediate service continuity risks"
Short_Term_4_24h:
- "Execute service transfer procedures"
- "Communicate with affected customers"
- "Regulatory notification if required"
- "Financial impact assessment"
- "Alternative supplier qualification acceleration"
Medium_Term_1_7_days:
- "Complete service migration"
- "Legal proceedings coordination"
- "Insurance claims processing"
- "Post-incident review and lessons learned"
- "Supply chain resilience improvements"
Major_Security_Breach:
Immediate_Actions_0_2h:
- "Isolate supplier connections"
- "Assess data exposure scope"
- "Activate incident response team"
- "Preserve forensic evidence"
- "Customer impact assessment"
Regulatory_Notification_2_72h:
- "GDPR breach notification if applicable"
- "Medical device incident reporting"
- "CCN-CERT notification"
- "Customer and partner notifications"
- "Public disclosure preparation"
Product_Quality_Issue:
Clinical_Safety_Assessment_0_1h:
- "Patient safety impact evaluation"
- "Clinical team activation"
- "Immediate risk mitigation"
- "Healthcare provider alerts"
Regulatory_Response_1_24h:
- "FDA/EMA incident reporting"
- "Corrective and preventive actions"
- "Field safety notice preparation"
- "Post-market surveillance activation"
13. Referencias cruzadas
- OP.EXT.1: Contratos base y SLA para protección de cadena de suministro
- OP.EXT.2: Gestión diaria que implementa controles de cadena de suministro
- R-TF-013-002: Riesgos específicos de cadena de suministro
- GP-013: Marco de ciberseguridad aplicado a terceros
- T-024-009: Procedimiento de gestión de cadena de suministro
- OP.MON.2: Integración con sistema de métricas para monitorización de proveedores
- OP.CONT.2: Planes de continuidad que incluyen alternativas de suministro
- MP.PER.1: Gestión de personal de proveedores con acceso a sistemas críticos
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003, JD-004
- Approver: JD-001