In December 2021, RQM+ acquired AcKnowledge Regulatory Strategies (AcKnowledge RS), a San Diego-based firm specializing in regulatory affairs consulting for the medical device and IVD industry. The integration of this impressive team enhances the extensive RQM+ network of current and former FDA reviewers, scientists, engineers and regulatory and quality experts, and adds additional expertise with FDA submissions. The author of this post is a member of this team, which has done significant work with novel and/or high-risk devices focusing on pre-submissions, 510(k)s, IDEs, PMAs, De Novos, Breakthrough Designation Requests and Safer Technology Program Requests.
October is National Cybersecurity Awareness Month, and at FDA they are promoting this year’s theme “Do your part. #BeCyberSmart.” To wrap up our own cybersecurity-focused posts this month, AcKnowledge RS’ Dr. Michelle Rubin-Onur caught up with our friend, colleague, and former FDAer, Dr. Seth Carmody.
Seth is currently the Vice President of Regulatory Strategy at MedCrypt, but while at FDA, he was the Cybersecurity Program Manager within the Center for Devices and Radiological Health (CDRH). Seth kindly answered a number of our cybersecurity questions, providing excellent insight into how FDA views and handles cybersecurity.
Michelle: Thank you so much for joining us Seth! We are really excited to talk with you about cybersecurity, and your experience at FDA. Now, cybersecurity is a term we hear discussed in relation to cell phones, computers, networks, hospitals, and medical devices. How do you explain cybersecurity in 10 words or less?
Seth: Cybersecurity is an attempt at preventing people located anywhere from making things do stuff they’re not supposed to do and since nothing is 100% secure, cybersecurity also includes observing and responding to failure. People tend to think of cybersecurity as involving laptops and cellphones or characterize it as a privacy issue. Certainly these are true, but with medical devices and other parts of critical infrastructure we’re talking about security issues directly affecting the health and safety of our nation. Was that ten?
Michelle: Ok, that was more than 10 words but that summed it up perfectly. FDA has released multiple cybersecurity guidance documents (final and draft) and has incorporated cybersecurity into the refuse to accept (RTA) checklist. Based on your experience, which sections of the guidance documents are the most misunderstood by device manufacturers?
Seth: It’s not necessarily that manufacturers misunderstand the guidance documents. It’s that solving healthcare problems is hard-wired into manufacturers' DNA, but unlike the financial sector, security is not. To fully embody what the guidance documents ask of manufacturers, cybersecurity has to be a part of their organizational DNA. That transition, adding security to products that deliver innovative clinical features, is the major challenge before us and requires a healthcare industry-wide shift. The primary drivers of that shift are; consumers of devices such as hospitals and FDA. The velocity of that shift is really dictated by how stringent consumers and FDA are with respect to security. The progress that consumers and FDA have made is substantial, as evidenced by the guidance documents and the inclusion of cybersecurity into the refuse to accept (RTA) checklist. This shift needs to accelerate, in addition to progress made by consumers and FDA, tech suppliers can help accelerate the shift by making it easier to secure the technology that manufacturers use to build medical devices.
Michelle: Speaking of a continued shift, on October 20, 2020, FDA announced that a new cybersecurity medical device development tool (MDDT) had been qualified: Rubric for Applying the Cybersecurity Common Vulnerability Scoring System (CVSS) to Medical Devices. Could you briefly explain the benefit of this tool?
Seth: It’s challenging to perform a security risk assessment for medical devices using tools commonly used in the IT space. As we discussed earlier, a laptop is connected to a printer, not a person like medical devices are. Therefore, devices have different risk considerations when it comes to assessing the severity of a vulnerability. The new tool was really developed to contextualize and standardize scoring medical device vulnerabilities using a vulnerability scoring tool called CVSS (Common Vulnerability Scoring System). The tool was designed such that any individual at a manufacturer could pick up the rubric and come to a consistent score. The consistent scoring tells us something about what the true risk of the vulnerability is. FDA is not mandating the use of CVSS or the rubric, by qualifying the rubric FDA catalyzed the adoption of a more standardized approach.
Michelle: In 2016, FDA released a guidance document discussing postmarket cybersecurity management. Could you please touch on the differences between cybersecurity premarket and postmarket recommendations?
Seth: The two policies form the Agency’s total product lifecycle expectations for cybersecurity. The premarket sets expectations for manufacturers security design and related processes. The postmarket sets expectations for the management of security risk once the device is on the market. Premarket cybersecurity risk controls, particularly cryptographic controls give manufacturers the ability to manage and respond to risk in the postmarket. Additionally, premarket processes and controls can be optimized by feeding back postmarket data.
Michelle: What advice do you have for device manufacturers that have software in their medical device or have software as a medical device (SaMD) and need to do a cybersecurity assessment? In other words, what is the best way to approach cybersecurity?
Seth: Good security isn’t a paperwork exercise; you actually have to build secure products. And security is a demanding discipline. One of ways manufacturers can get their arms around the issue is by implementing a secure product development framework (SPDF). A well implemented SPDF right-sizes the investment in people, process, and technology necessary to build secure products. One of the foundational processes to right-size security is threat modeling, One very straightforward method recommended by OWASP (Open Web Application Security Project) suggests asking the following four questions: what are we building, what could go wrong, what are we doing about it, and how do we know we did a good job? Answering these four questions helps manufacturers begin the journey of right-sizing security for any product they make. And threat modeling is top of mind for the FDA as evidenced by FDA funding a threat modeling project with the Medical Device Innovation Consortium (MDIC)
Michelle: One of your positions at FDA was Cybersecurity Program Manager at CDRH. What are some of the day-to-day responsibilities of a program manager? What were some of the challenges you faced as the program manager?
Seth: No one has ever asked me that before! It was a very challenging and rewarding position. As a chemist turned tech policy wonk, I had a lot to learn about cybersecurity, so I invested my time in getting educated by listening, reading, asking questions, and most importantly, by doing. My first foray into medical device cybersecurity came in an emergency response capacity. You learn a lot by having to jump all in and figure things out. For example, in 2017, there wasn’t a playbook on how to respond to a global cyber attack such as what happened with ‘WannaCry’ (also known as ‘WannaCrypt’) ransomware infections. The same is true for doing device reviews, recalls, and inspections for cybersecurity; there’s no playbook so you dive in, figure it out, and all those learnings start to form the big picture. Once the big picture started to emerge it helped me go out and educate others so I spent a lot of time flying around the country speaking wherever I could to get the word out, open lines of communication, build bridges, and demystify what we were trying to do. Finally, when you work on a subject that personally resonates deeply, you forget that not everyone thinks about cybersecurity 24/7 or understands how foundationally important security is to all the innovative clinical breakthroughs that are made in healthcare, so I spent time being an advocate and fighting for resources inside and outside of the Center. All these challenges helped me build that big picture worldview of healthcare cybersecurity and a big aha moment that I needed to help make security easy for healthcare, which is why I’m so excited to be at MedCrypt.
Michelle: Seth, this has been great! Thank you so much for your time, and for the opportunity to speak with you about your experiences and cybersecurity insights. You’ve given us a lot to think about and I hope our readers agree that it’s in everyone’s best interest to do their part and #BeCyberSmart!