Has the FDA issued an Additional Information Request (also known as a Hold Letter) to you due to major cybersecurity deficiencies? Do some of these deficiencies seem unreasonable? Are you uncertain about the necessary steps to expedite your submission?
Alternatively, you might have an upcoming 510(k), De Novo, or PMA and concerns about inadequate cybersecurity documentation. If your team lacks cybersecurity expertise, you may be worried that cybersecurity will become the bottleneck in your submission.
Your engineers may have tried working through the FDA guidance and have been overwhelmed. It is a lot to learn. Maybe they’ve read the MITRE “Playbook for Threat Modeling Medical Devices” but still had a hard time getting started making a threat model.
We’ve been through this before and can show you the way.
If you've received an FDA Hold Letter and some of the deficiencies seem excessively demanding, there might be an opportunity to challenge it.
The ideal time to do this is during the initial FDA meeting, which is typically offered 10 days after receiving the hold letter.
Not all FDA reviewers are cybersecurity experts. They often issue "stock deficiencies" without a complete understanding. We have a successful history of challenging these. For instance, we assisted a client in arguing they didn't require penetration testing for a specific AI/ML-enabled SaMD product.
Challenging the FDA is a delicate process. It often involves negotiation. Leveraging our past experiences and software expertise, we can guide you along the best path.
The ideal time to push back on major deficiencies is during the initial FDA meeting, 10 days after receiving the hold letter. We can usually begin nearly immediately and can quickly put together a strategy.
Our cybersecurity process has been used successfully in 6+ FDA submissions since the 2023 FDA Cybersecurity Guidance was finalized, and has been progressively refined with each subsequent submission. Our past experiences have helped us understand what FDA is looking for.
We really enjoyed working with Innolitics in reviewing our cybersecurity related documentation and compiling a response to the FDA. We were particularly impressed with their knowledge and expertise in the field, and quick turn-around times to our queries. We look forward to working with Innolitics on future projects.
– Andrei Migatchev (CTO and Co-Founder at Envisionit Deep AI)
The overall process works as follows:
Unless your medical device was designed with security in mind, it's likely that some software changes will be required to secure your device and address the FDA's major deficiencies. For example, upgrading dependencies and implementing missing cybersecurity controls. Our process is tailored to pinpoint these necessary changes swiftly, enabling your engineers to start working on them. In some instances, we can also provide software engineering support.
Additionally, we promptly identify any required third-party cybersecurity testing so it can be scheduled without delay. This ensures that the penetration test, which is usually mandatory, doesn't become a bottleneck to the FDA response timeline.
Once your engineers get started, we'll continue addressing your specific significant deficiencies as outlined in the following sections.
We work the team through our process of developing a threat model over a sequence of collaborative meetings. As part of threat modeling we’ll develop a set of security architecture views that comply with FDA’s expectations. We’ll guide the team through identifying external connections, assets, threat actors, and threats. Our threat modeling typically uses STRIDE combined with as is appropriate. We consider the full end-to-end system, including “other functions”.
We can guide the Client’s team through writing an appropriate Security Risk Management Plan, including an appropriate means of assessing security risks.
We can then guide the team through a security risk assessment, using the threat modeling as an input. We’ll work with the team to trace security risks to safety risks. We’ll also help identify relevant cybersecurity controls (see the next section) and help ensure there is proper cybersecurity traceability.
We’ll work with the team to identify appropriate security risk controls against the FDA guidance. (FDA typically requires at minimum one or two controls from each control category—authentication, authorization, cryptography, integrity, confidentiality, detection, resiliency & recovery, and updates.) We’ll work with the client to identify the most useful controls that add the minimum necessary software development cost.
We can usually produce an FDA-compliant SBOM with minimal input from Client’s engineers.
Alternatively, we can help Client’s engineers set up tools to automatically generate an SBOM as part of their automated build procedures (e.g., using a GitHub Action that produces the SBOM as a build artifact). This second approach takes longer in the short term, but is more efficient long term.
We can guide the Client’s engineering team through the cybersecurity testing process.
We can compile all of these records into tests that are appropriate for the 510(k) submission.
We can tailor our cybersecurity management plan template to Client’s existing quality processes. We can also help document how software updates are deployed and how malware prevention plan.
We can work with the client to draft the cybersecurity sections of the IFU based on our understanding of the device and previous submissions. This includes:
Every great partnership starts with a conversation. Fill out the form below for a discovery call, and an Innolitics team member will contact you soon.