Licensed to be used in conjunction with basebox, only.
basebox Intended Use
- Name: basebox
- Vesion: 1.0.x
- Basic UDI-DI: N/A
basebox is an Off-the-shelf Software (OTS) which does provide an effective and efficient solution for Medical Device manufacturers in building data bases to their own needs.
basebox is essential for building Digital Health platforms and does therefore not make any compromises in terms of security and compliance despite its quick deployment. Until now, developers had to choose between fast availability and high security. This compromise is now over.
That’s why the development and maintenance activities of basebox considered the relevant standards for SW development in the Medical Device industry. Those standards are listed in the section below.
Since basebox is not a Medical Device the following Intended Use characteristics of Medical Device don’t apply:
- Intended Medical Indication,
- Patient Population,
- User Profile,
- Use Environment Including Software/Hardware,
- Part of the Body / Type of Tissue Interacted with.
Considered Standards and Guidelines
OTS Software manufacturer typically do not publish their technical documentation but basebox wants to establish trust and support compliance on customer side by being transparent. That's why the technical documentation of basebox is published as applicable for an OTS component. The following list provides an overview of standards and guidelines which were reviewed and considered during the development of basebox and were used to create the technical documentation.
IEC 62304 Medical device software – Software life-cycle processes. IEC 62304 is the international standard for the development of medical device software. It provides a process and requirements for developing, testing, and maintaining software used in medical devices. It covers the entire software life cycle, from requirements to post-market surveillance, and is intended to ensure that the software is safe and effective for its intended use.
The basebox development did consider the requirements from IEC62304 as applicable to an OTS, for instance by:
- Establishing user and software requirements,
- transforming those into an architecture,
- apply coding rules,
- do automated testing before any commits and for all builds.
IEC 81001-5-1 Health software and health IT systems safety, effectiveness, and security — Part 5-1: Security — Activities in the product life cycle. The cybersecurity standard IEC 81001-5-1 focuses on IT security in the software life cycle and supplements IEC 62304 with cybersecurity specific requirements.
basebox applied the principles of security by design from IEC 81001-5-1 where applicable for an OTS component, for instance, by:
- performing threat modeling,
- implementing security controls,
- executing penetration testing by a certified 3rd party,
- using Rust as the secure programming language,
- verifying cybersecurity controls by using the MDS2 form
While considering IEC 81001-5-1 most of the requirements from MDCG 2019-16 Guidance on Cybersecurity for medical devices are covered. Relevant controls from NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations were considered during the development of basebox.
ISO 14971 Medical devices - Application of risk management to medical devices, is an international standard that provides requirements for the risk management of medical devices. It outlines a process for identifying, analyzing, evaluating, controlling, and monitoring the risks associated with medical devices throughout their life cycle, with the goal of ensuring they are safe and effective for their intended use. Since basebox is not a medical device and therefore has no Intended Use ISO 14971 does not apply to basebox. But basebox incorporates cybersecurity controls to protect from cyber threats which may lead to a health risk or privacy issues. A list of known anomalies or bugs - if applicable - which may be used by the Medical Device manufacturer as an input to the risk analysis performed for the final Medical Device is published in the release notes.
General Quality Management
ISO 13485 Medical devices - Quality management systems - Requirements for regulatory purposes, is an international standard that sets out requirements for a quality management system (QMS) specific to the medical device industry. It is designed to help organizations ensure that their medical devices are safe, effective, and of high quality by establishing a framework for managing medical device design, development, production, installation, and servicing. Organizations that are certified to this standard demonstrate that they have a robust QMS in place and are committed to meeting the needs of their customers and regulatory requirements.
basebox, the company, is not a legal manufacturer of Medical Devices but is planning to establish a ISO 13485-based quality management system.
|Corrections concerning MDS2 form