As Promenade’s involvement in cybersecurity continues to grow, one of our core offerings has become assisting clients in preparing FDA submission materials—particularly in the context of cybersecurity. Many clients approach us after receiving a rejection letter from the FDA, often due to cybersecurity-related shortcomings. The FDA’s latest guidance is intricate, and software engineers, though highly skilled, are not always well-versed in cybersecurity or regulatory expectations.
Historically, software development in the medical device space focused primarily on clinical functionality and usability. However, with the rise in cybersecurity breaches at medical facilities over the last decade, the landscape has changed significantly. Regulators and healthcare institutions are increasingly prioritizing cybersecurity. In fact, Congress mandated the FDA to enforce medical device security through the Food and Drug Omnibus Reform Act of 2022. The medical device development community is still adapting to this shift, and that’s where we often step in.
Cybersecurity revolves around identifying vulnerabilities and assessing the risks they pose. Importantly, cybersecurity requirements vary widely depending on the device. For instance, operator authentication is critical for some devices, while others prioritize accessibility.
A great example is the Automated External Defibrillator (AED)—its design mandates immediate access for anyone, regardless of authentication. Conversely, devices that handle patient data must incorporate strong user authentication to protect sensitive information. Nearly all devices include some level of privileged access for administrative or field service personnel, and such access must be properly secured. Gone are the days of hard-coded service passwords—these are now considered a significant security risk and are strictly prohibited. While there are common expectations across all devices, each product has unique cybersecurity considerations.
That’s why we begin every project with a Cybersecurity Gap Analysis. This analysis aims to uncover:
Medical devices run the gamut from simple embedded systems to complex, cloud-connected instruments. The associated cybersecurity risks range from negligible to life-threatening. Unlike enterprise IT systems, medical devices often require customized, device-specific security strategies. Therefore, understanding the threat landscape and associated risks is the essential first step.
Similarly, our clients vary greatly in their cybersecurity maturity. Some possess a well-documented, robust cybersecurity framework and simply request a final review. Others have implemented minimal security measures and lack supporting documentation.In fact, the more advanced a client’s implementation, the more nuanced and challenging the gap analysis becomes—like identifying hairline cracks instead of wide gaps.
Some clients opt to receive only the gap analysis and our documentation templates, continuing the process independently. Others prefer a more collaborative approach, relying on us to develop their full set of submission materials. Each engagement is tailored to the client’s unique needs and context.
In summary, the Cybersecurity Gap Analysis serves as the foundation of our cybersecurity consulting services. It allows us to gain a comprehensive understanding of a client’s system and regulatory posture, and to provide actionable insights that guide their path to successful FDA submission.