In Medcrypt’s Stock Deficiency blog series, learn how receing a deficiency letter affects all roles in your organization from product engineers, to regulatory affairs professionals, to the c-suite. Missed part 1 of the blog? Read it here.

Why do executives care about cybersecurity deficiencies?

MDMs are working in a competitive environment, attempting to bring innovative healthcare products to market faster, with better features, while also balancing risk to their organization and brand. Cybersecurity events represent business risk, reputational risk, and regulatory risk. Failure to design-in adequate cybersecurity can lead to an inability to market new products, and in the postmarket it can lead to recalls, market withdrawals, FDA inspections with warning letters, as well as possible enforcement actions from SEC.

While device cybersecurity may have been a low priority in the past, secure-by-design is now a critical aspect of getting through regulatory reviewers. Having a postmarket cybersecurity management strategy is now required for FDA for cyber devices. Failure to achieve secure-by-design can lead to one or more stock deficiencies from FDA, and FDA has already issued rejection letters (Not Substantially Equivalent (NSE, for 510(k)), Not Approvable (NOAP, for PMA)) on the basis of failing to meet requirements under section 524B of the FD&C Act. Additionally, FDA has noted in their premarket guidance that “inadequate cybersecurity information in the device labeling may cause a device to be misbranded under section 502(f) of the FD&C Act if its labeling does not bear adequate directions for use.” FDA is also indicating that “for cyber devices, failure to comply with any requirement under section 524B(b)(2) (relating to ensuring device cybersecurity) is considered a prohibited act under section 301(q) of the FD&C Act”.

Executives need to be able to forecast sales, ensure realistic timelines are set, expectations are managed, and are ultimately accountable for the organization’s bottom line. For cybersecurity, this means that the organization needs a cybersecurity program that will provide assurance to executives that the company can ensure compliance with statutory requirements. The plan is consistent with the recommendations in guidance, scaling with risk for the devices.

What executives need to do to avoid or address cybersecurity (stock) deficiencies:

Executives need to understand that remaining in compliance with ISO 13485 means ensuring a robust product security program is in place within their QMS to ensure and maintain security, safety and effectiveness of the device. According to Section 5 “Management Responsibility”, top management shall ensure that customer requirements and regulatory requirements are met, and ensure the availability of resources, among other requirements. The Quality Management System should enable a Secure Product Development Framework (SPDF) to address the following:

1. Appropriately Trained Personnel — the organization needs to have qualified security professionals who have appropriate training, education, credentials and experience per 21 CFR Part 820.25 or ISO 13485 section 6.2 to design, develop and manage cybersecurity for individual devices and the organization’s entire portfolio, as appropriate
2. Regulatory Expectations
3. Requirements under Section 524B of the FD&C Act
4. Recommendations per the guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
5. Security Risk Management
6. Threat Modeling, Interoperability Considerations, Third-Party Software Components, and Assessment of Unresolved Anomalies.
7. Security Architecture
8. Security Controls Implementation, System Views, Updatability/Patchability, and Use Case
9. Cybersecurity Testing throughout the development lifecycle to support threat mitigation
10. SAST/DAST, SCA, SBOM assessment, Fuzz testing, Penetration Testing, and Vulnerability Scanning

In keeping with ISO 13485 section 5.6, top management shall review the QMS at certain intervals to ensure its adequacy and effectiveness. From a product security standpoint this should include meeting with RA, QA and engineering teams to evaluate how postmarket signals feed back into premarket development plans and procedures, including into coding standards, software development best practices and evaluation of risk associated with the use of off-the-shelf or open source software. This ensures a continuous improvement and an organizational evolution that parallels the evolving threat environment, and helps the development team maintain awareness of common weaknesses that are present in software/firmware/hardware to ensure their development practices minimize exposure to those common weaknesses.

Executives should ensure that the organization adequately budgets for cybersecurity through the total product lifecycle. Failure to properly allocate budget can lead to costly delays in go-to-market due to deficiency letters, the need for remediation of deficiencies which may include re-design and additional testing, and potentially, FDA citation of Section 301(q) of the FD&C Act “Prohibited Acts” which could lead to FDA enforcement action. Additionally, for publicly traded companies in the US, executives are accountable for disclosing information to the SEC in three categories: (1) cybersecurity risk management; (2) cybersecurity governance; and (3) cybersecurity incident reporting. Executives should ensure that the organization has an appropriate plan for risk management, cybersecurity governance and incident reporting to ensure that they are compliant with SEC expectations in addition to FDA requirements and recommendations. Separately, the organization should be aware of industry standards and ensure compliance or awareness of those that are appropriate.

Medcrypt offers pre-reviews of premarket submissions before you submit to FDA through our FDA Cybersecurity Readiness Assessment. If you have already received a deficiency letter, Medcrypt can support you through your deficiency response. We’re happy to be your FDA cybersecurity partner to ensure that your filings are clear and complete.

Interested in learning more about how Medcrypt helps medical device manufacturers meet regulatory requirements? Contact us at info@medcrypt.com and visit us at medcrypt.com to discover our full suite of medical device cybersecurity products and services.

‍