By Ira Owens, Medcrypt Director of Cybersecurity and Ayushi Soni, Medcrypt Cybersecurity Intern

In Medcrypt’s Stock Deficiency blog series, learn how receing a deficiency letter affects all roles in your organization from product engineers, to regulatory affairs professionals, to the c-suite. Missed part 1 of the blog? Read it here.

Why do regulatory affairs professionals care about stock deficiencies?

MDMs need clearance or approval from the FDA to sell their medical devices in the United States. This process involves following regulations and interpreting FDA and industry guidance and/or standards to ensure cybersecurity compliance. The interpretation of these cybersecurity requirements often falls on the Regulatory Affairs team (and some others) within most organizations. Failure to meet the minimal cybersecurity requirements when submitting to the FDA often leads to one or more stock deficiencies, and occasionally, an FDA rejection letter (NSE, NOAP). Section 524B of the FD&C Act requires that MDMs establish and maintain a comprehensive cybersecurity risk management program for cyber devices, therefore failure to provide adequate documentation of cybersecurity will lead to deficiencies as this information is now mandatory! The Regulatory Affairs and Product Security teams are responsible for establishing and documenting a cybersecurity program that addresses pre- and postmarket cybersecurity considerations such as; threat modeling, security risk assessment, vulnerability management, patching, and postmarket surveillance. In addition, the Regulatory Affairs and Product Security teams are required to develop and document their cybersecurity strategy in organizational procedures and plans. Navigating the FDA and other industry guidance and/or standards can be an arduous and overwhelming task for businesses of all sizes.

What regulatory affairs professionals need to do to address stock deficiencies:

According to new FDA guidance, MDMs need to implement a Secure Product Development Framework (SPDF) or something similar to address the following:

1. Regulatory Expectations
2. Requirements under Section 524B of the FD&C Act
3. Recommendations per the guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
4. Security Risk Management
5. Threat Modeling, Interoperability Considerations, Third-Party Software Components, and Assessment of Unresolved Analmoiles.
6. Security Architecture
7. Security Controls Implementation, System Views, Updatability/Patchability, and Use Case.
8. Cybersecurity Testing throughout the development lifecycle to support threat mitigation
9. SAST/DAST, SCA, SBOM assessment, Fuzz testing, Penetration Testing, and Vulnerability Scanning.

The FDA also recommends MDMs utilize standards like:

• NIST Cybersecurity Framework (CSF)
• AAMI TIR57: Principles For Medical Device Security — Risk Management
• AAMI TIR97: Principles For Medical Device Security — Postmarket Risk Management For Device Manufacturers
• ANSI/AAMI SW96:2023: Standard For Medical Device Security — Security Risk Management For Device Manufactures,
• Medical Device and Health IT Joint Security Plan (JSP),
• ANSI ISA-62443–4–1–2018: Security for Industrial Automation and Control System, Part 4–1: Product Security Development Life-Cycle Requirements, and
• IEC 81001–5–1 Edition 1.0 2021–12: (Health Software and Health IT Systems Safety, Effectiveness and Security — Part 5–1: Security — Activities in the Product Life Cycle).

Each of these standards provide specific recommendations to MDMs on how to implement a robust, trustworthy, and overall resilient SPDF. Moreover, these standards provide important considerations for the development of devices and complement the documentation FDA recommends MDMs provide for review as part of premarket submissions.

Medcrypt offers reviews of premarket submissions before you submit to FDA through our FDA Audit. If you have already received a deficiency letter, Medcrypt can support you through your deficiency response. We’re happy to be your FDA cybersecurity partner to ensure that your filings are clear and complete.

Interested in learning more about how Medcrypt helps medical device manufacturers meet regulatory requirements? Contact us at info@medcrypt.com and visit us at medcrypt.com to discover our full suite of medical device cybersecurity products and services.

‍