SGS网络安全服务
SGS CYBERSECUIRTY SERVICES
SGS我们的愿景Our vision
SGS是国际公认的测试、检验和认证机构SGS IS THE WORLD'S LEADING TESTING, INSPECTION, AND CERTIFICATION COMPANY
我们的目标是成为全球具竞争力和生产力的服务机构GLOBALLY COMPETITIVE AND PRODUCTIVESERVICEORGANIZATION
在我们擅长的测试、检验和认证服务领域不断创新OUR EXPERTISE IN TESTING,INSPECTION, ANDCERTIFICATIONSERVICESISCONSTANTLYINNOVATING
始终为全球企业提供专业服务ULTIMATELY PROVIDING PROFESSIONALSERVICESTO GLOBAL ENTERPRISES
SGS网络安全实验室Cybersecuirty laboratory
实验室遍布全球
LABORATORIESARESPREADALLOVERTHEWORLD
北京、上海、广州、深圳、昆山、台北等国内城市
荷兰、西班牙、奥地利、法国、美国、新加坡等国家
SGS全球资质
Global accreditations
国际公认的测试、检验和认证机构
SGSISTHEWORLD'SLEADINGTESTING,INSPECTION,ANDCERTIFICATIONCOMPANY
美国FDA网络与信息安全要求FDA cybersecurity
FDA
2022年12月29日,《2023年综合拨款法》签署成为法律。综合第3305条-“确保医疗设备的网络安全”一修订了《联邦食品、药品和化妆品法案》(FD&C法案),添加了第524B条“确保设备的网络安全"(第3305条)。综合声明,FD&C法案的修正案将于该法案颁布后90天(即2023年3月29日)生效。
On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") was signed into law. Section 3305 of the Omnibus -- "Ensuring Cybersecurity of Medical Devices" -- amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices (section 3305). The Omnibus states that the amendments to the FD&C Act shall take effect 90 days after the enactment of this Act, on March 29, 2023.
提交一份计划,以在合理的时间内酌情监控、识别和解决上市后网络安全漏洞和漏洞,包括协调一致的漏洞披露和相关程序。
Submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
设计、开发和维护流程和程序,以合理保证设备和相关系统的网络安全,并为设备和相关系统提供上市后更新和补丁。
Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems.
提供软件物料清单,包括商业、开源和现成的软件组件。
Provide to the Secretary a software bill of materials, including commercial open-source, and off-the-shelf software components.
FDA还可能发布包含其他要求的法规,以合理保证设备和相关系统的网络安全。
The FDA may also issue regulations with other requirements to demonstrate reasonable assurance that the device and related systems are cybersecure.
欧盟MDR网络与信息安全要求MDR cybersecurity
·欧洲医疗器械法规(MDR&IVDR)要求网络安全要求:
·对于包含软件的设备或作为设备本身的 软件,软件应按照现有技术水平进行 开发和制造,并考虑到开发生命周期、 风险管理的原则,包括信息安全、验 证和确认。
·MDCG网络安全指导文件(2019年12月) ·网络安全风险/要求需要在单独的风险 管理过程中进行处理,符合ISO14971 的方法(另见AAMITIR57/SW96)。
·符合由国家机构发布的网络安全指南(如 BSI或ANSM)。
· The European Medical Device Regulation (MDR&IVDR) requires cybersecurity requirements: · For devices containing software or software as the device itself, the software should be developed and manufactured according to the current level of technology, taking into account the principles of development lifecycle and risk management, including information security, verification, and confirmation.
·MDCG Network Security Guidance Document (December 2019) · Cybersecurity risks/requirements need to be addressed in a separate risk, management process, in accordance with the methods of IS0 14971 (see also AAMITIR57/SW96).
· Compliant with cybersecurity guidelines issued by national institutions such as BSl orANSM.
中国NMPA网络与信息安全要求NMPA cybersecurity
医疗器械网络安全注册
MEDICAL DEVICE CYBERSECURITY REGISTRATION
《医疗器械注册管理办法》第三十四条规定,申请人应当提交医疗器械的网络安全保护方案,说明网络安全保护措施和技术措施,依据医疗器械分类管理目录及有关技术规范等的要求,明确网络安全保护措施和技术措施的适用范围和要求。同时,申请人还应当完善相关的网络安全管理制度和操作规范。
Article 34 of the Measures for the Administration of Medical Device Registration stipulates that the applicant shall submit a cybersecurity protection plan for the medical device, explain the cybersecurity protection measures and technical measures, and clarify the scope and requirements of the cybersecurity protection measures and technical measures in accordance with the requirements of the medical device classification management catalog and relevant technical specifications.At the same time, the applicant should also improve therelevant cybersecurity management system and operational standards.
医疗器械网络安全注册技术审查指导原则
GUIDINGPRINCIPLES FORTECHNICAL REVIEW OFMEDICAL DEVICE CYBERSECURITY REGISTRATION
)明确了医疗器械产品的分类标准:非数字化产品、无连接数字化产品、有连接数字化产 品和嵌入式数字化产品。
·完善了技术审查内容:产品设计、数据传输、访问控制、加密算法、安全漏洞管理等。
·加强了指导原则的实践性。
· The classification criteria for medical device products have been clarified: non digital products, unconnected digital products, connected digital products, and embedded digitalproducts.
· Improved the technical review content, including product design, data transmission, access control, encryption algorithms, and security vulnerability management.
· Enhanced the practicality of guiding principles.
NATIONALMEDICALPRODUCTSADMINISTRATION国家药品监督管理局
医疗器械软件技术审查指导原则
医疗器械网络安全技术审查指导原则GuidelinesforTechnicalReviewofMedicalDevice Cybersecurity(second edition;draft)
GuidelinesforTechnicalReviewMedical DeviceSoftware(secondedition;draft)
SGS医疗器械网络安全服务
SGS medical cybersecurity services
模糊测试
FUZZING
通过向目标系统或应用程序输入大量随机、不规范或畸形的数据,测试其在异常情况下的行为和稳定性。发现未知的漏洞,例如崩溃、内存泄漏或未处理的异常。
Test the behavior and robustness of the target system or application under abnormal conditions by inputting a large amount of random, irregular, or malformed data. Discovering unknown vulnerabilities, such as crashes, memory leaks, or unprocessed exceptions.
渗透测试
PENETRATION TESTING
模拟攻击者的行为,通过手动或自动化的方式入侵目标系统以评估其安全性。识别系统中的弱点,并验证漏洞的实际利用可能性。
Simulate the behavior of attackers and invade the target system manually or automatically to evaluate its security. Identify vulnerabilities in the system and verify their actual potential for exploitation.
漏洞扫描
VULNERABILITYSCANNING
使用自动化工具扫描目标系统或网络以检测已知漏洞。
Use automated tools to scan target systems or networks for known vulnerabilities.
源代码审核
SOURCE CODE REVIEW
对应用程序的源代码进行系统性检查,以发现潜在的安全问题。识别逻辑缺陷、代码注入点或其他漏洞。
Conduct systematic checks on the source code of the application to identify potential security issues. Identify logical defects, code injection points, or other vulnerabilities.
威胁建模及风险评估
THREATMODELINGANDRISKASSESSMENT
系统性地识别系统中潜在的威胁和漏洞,并分析这些威胁的可能性和影响。
Identify potential threats and vulnerabilities in the system, and analyze the likelihood and impact of these threats.
When you need to be sure
联系我们CONTACTUS
上海 ShanghaiTel: +86 (0)21 6191 5670Emial: ee.shanghai@sgs.com
深圳 Shenzhen Tel: +86 (0)755 2654 4661 Emial: ee.shenzhen@sgs.com
香港 HongkongTel:+852 2204 8343Emial: ee.hk@sgs.com
www.sgs.com www.sgsonline.com.cn
广州 GuangzhouTel: +86 (0)20 82155411Emial: ee.guangzhou@sgs.com
重庆 Chongqing Tel: +86 (0)23 8553 8555 Emial: ee.chongqing@sgs.com




