Our cybersecurity process has been used successfully in 6+ FDA submissions since the 2023 FDA Cybersecurity Guidance was finalized, and has been progressively refined with each subsequent submission. Our past experiences have helped us understand FDA’s expectations. That said, FDA’s expectations are continuing to evolve.
We really enjoyed working with Innolitics in reviewing our cybersecurity related documentation and compiling a response to the FDA. We were particularly impressed with their knowledge and expertise in the field, and quick turn-around times to our queries. We look forward to working with Innolitics on future projects.
Andrei Migatchev
CTO and Co-Founder at Envisionit Deep AI
With updated cybersecurity requirements rolled out during our recent FDA submission, we found ourselves looking for an experienced partner to help us navigate this new environment. We reached out to Innolitics, and they were able to quickly assess our device, develop a strategy, and meet with FDA to find a path forward. Their strategic involvement guided us toward an approach that satisfied the FDA and saved us significant upfront and on-going effort. Innolitics’ combination of software and FDA regulatory expertise was invaluable.
Eric Runde
COO at Indica Labs
It’s not so bad
Your engineers may have tried working through the FDA guidance and have been overwhelmed. It is a lot to learn.
We’ve been through this before and can show you the way.
We can help push back
If some of your major deficiencies seem excessive, you may be able to push back!
The ideal time to do this is during the FDA meeting within 10 days of receiving the hold letter.
We can usually begin immediately and can quickly put together a strategy.
Securing your device only begins with your submission. FDA requires that you follow a secure product development lifecycle, which involves ongoing work in several areas, including:
Security risk analysis and threat modeling of software changes
Fixing cybersecurity vulnerabilities in dependencies
Periodic penetration testing and fixes
Generating SBOMs for all released versions
Addressing SAST findings
If your team doesn’t have in-house cybersecurity expertise, we can augment your staff with one of our engineers who can keep up with these activities.
How much does your typical FDA Cybersecurity Remediation project cost?
It varies quite a bit based on the state of the current documentation
and the required speed of completion. If you have completed most
documents and are looking for an expert review, the cost tends to be
about $15k.
For most prospective documentation projects for class II devices, the
cost is often between $30k and $40k.
Note this does not include any software development work for
implementing cybersecurity controls, although we can help with that
too.
What are your hourly rates?
Please reach out to use and we can provide you a list of our hourly
rates for the following roles:
Partner
Senior Regulatory Consultant
Regulatory Consultant
Staff Software Engineer
Senior Software Engineer
Software Engineer
Data Annotation Associate
Do you ever work on a fixed-price basis?
No. We do not work on a fixed-price basis. We will provide a detailed
cost estimate before we start the project and we’ll provide budget
estimates through out the project, however, due to the differing nature
of each project its not possible to provide a fixed-price estimate.
Will we need to make changes to our software?
Unless your medical device was designed with security in mind, it's
likely that some software changes will be required. Our process
is tailored to pinpoint these necessary changes swiftly so your
engineers can start working on them. In some instances, we can also
provide software engineering support.
Can you provide examples of past projects similar to our product?
Yes! Please review our
case studies for a sampling of our past projects. If you don’t see
anything relevant, please reach out as only a small number of our
projects have case studies.
How does your team provide support with threat modeling?
Yes! We can work your team team to develop a threat model over a
sequence of collaborative meetings. As part of threat modeling we’ll
develop a set of security architecture views that comply with FDA’s
expectations. We’ll guide the team through identifying external
connections, assets, threat actors, and threats. Our threat modeling
typically uses STRIDE combined with other threat modeling methodologies
as is appropriate.
Our threat modeling approach considers the full end-to-end system,
including “other functions”.
How does your team provide support with security risk management?
Yes! We can guide the Client’s team through writing an appropriate
Security Risk Management Plan, including an appropriate means of
assessing security risks.
We can then guide the team through a security risk assessment, using
the threat modeling as an input. We’ll work with the team to trace
security risks to safety risks. We’ll also help identify relevant
cybersecurity controls (see the next section) and help ensure there is
proper cybersecurity traceability.
Can your team help us define necessary cybersecurity controls?
Yes! We’ll work with the team to identify appropriate security risk
controls against the FDA guidance. FDA typically requires at minimum one
or two controls from each control category:
authentication
authorization
cryptography
integrity
confidentiality
detection
resiliency & recovery
updates.
We’ll work with you to identify the most useful controls that add the
minimum necessary software development cost. We also understand what
controls FDA expects for different types of devices.
Can your team help implement cybersecurity controls?
In most cases, yes.
How does does your team help with SBOM generation?
We can usually produce an FDA-compliant SBOM with minimal input from
your engineers.
Alternatively, we can your engineers set up tools to automatically
generate an SBOM as part of their automated build procedures (e.g.,
using a GitHub Action that produces the SBOM as a build artifact). This
second approach takes longer in the short term, but is more efficient
long term.
How does your team help with cybersecurity testing?
We can guide your engineering team through the cybersecurity testing
process.
Requirements Testing: Typically handled through standard Design
Controls, however, we can help draft Design Verification Protocols for
verification of the Design Control requirements.
Vulnerability Testing: We can help select an appropriate
vulnerability testing tool and incorporate it into the development
workflow. This typically includes analyzing third-party packages for
vulnerabilities along with static code analysis.
Fuzz Testing: We can help identify appropriate interfaces to fuzz
test, define the scope, and can even help implement fuzz testing.
Penetration Testing: We can help select an appropriate pen testing
vendor and can facilitate communication with the vendor to ensure they
provide records that meet the FDA guidance.
We can compile all of these records into tests that are appropriate
for the 510(k) submission.
How does your team help with cybersecurity labeling?
We can work with your team to draft the cybersecurity sections of the
IFU based on our understanding of the device and previous submissions.
This includes:
Instructions related to the user’s security responsibilities
Security diagrams
SBOM access
Software update notification
Security anomaly reporting and detection
Backup and restore functionality
Can you guarantee there won’t be any cybersecurity issues in our submission?
No, we can’t make such a guarantee.
FDA’s expectations are continuing to evolve. Strategies that we’ve
seen work previously have stopped working in new submissions. Most teams
also can’t implement everything in the guidance (and FDA doesn’t expect
you to). We therefore will try to find the right amount of effort
required for your device. Sometimes we will undershoot.
This article provides an in-depth exploration of medical device cybersecurity requirements, including best practices and FAQs. It also includes examples and resources for those looking to implement or improve their own threat modeling processes.
An in-depth guide to navigating the use of off-the-shelf software (OTS) in the medical device industry. OTS software is general purpose software you didn’t develop yourself that you use in your device, e.g., open-source packages, cloud services, and operating systems. The article starts with the basics and then delves into more detailed issues, including strategies for documenting OTS software for the FDA.
