Harbor Labs collaborated with an early-stage manufacturer of a wearable electrocardiogram (ECG) device and its connected mobile and cloud applications to provide a broad set of regulatory submission support. The engagement focused on 1) producing extensive cybersecurity documentation, 2) defining software development lifecycle (SDLC) procedures, and 3) conducting the full set of cybersecurity testing recommended in FDA’s premarket guidance. This was a multifaceted engagement that required close collaboration across several of the client’s internal teams, including software development, regulatory affairs, and quality assurance.

Harbor Labs engagements are tailored to align with the unique needs of the client. For this project, Harbor Labs first conducted a comprehensive review of client cybersecurity policy and procedure documentation to identify gaps and deficiencies. Harbor Labs modified much of the documentation to align with regulatory requirements, and produced several new regulatory documents on behalf of the client. This included a Cybersecurity Risk Management plan, the required cybersecurity views, a post-market cybersecurity monitoring strategy, and security labeling and security callouts in the client’s Instructions for Use (IFU) documents.

Beyond just the cybersecurity documentation, Harbor Labs also worked closely with the client to define both Standard Operating Procedures (SOPs) and product-specific software plans for the medical system. These efforts were guided by established industry standards, such as IEC 62304 — Medical Device Software: Software Life Cycle Processes. The SOPs Harbor Labs developed helped lay the foundation for the client’s ongoing software maintenance plan.

Harbor Labs also engaged to perform formal verification of the system’s cybersecurity requirements. This process involved developing test protocols, assessing the impact of verification tools, executing dry runs, participating in the Defect Review Board (DRB), and formally documenting the results in a detailed test report.

Finally, FDA premarket guidance recommends conducting multiple categories of cybersecurity testing. As part of this engagement, Harbor Labs executed customized cybersecurity testing of the target system, including both penetration testing and vulnerability assessments, to identify cybersecurity vulnerabilities.

It is not uncommon for early-stage clients to lack the resources, staffing and expertise necessary to produce the full set of policies, procedures, and supporting documentation required for a regulatory submission through the eSTAR process. Over the course of this engagement, Harbor Labs rapidly produced the full suite of documentation, including both cyber and non-cyber content, and delivered it on time to support the client’s submission deadlines.