The Cybersecurity Gap Analysis

As Promenade’s involvement in cybersecurity continues to grow, one of our core offerings has become assisting clients in preparing FDA submission materials—particularly in the context of cybersecurity. Many clients approach us after receiving a rejection letter from the FDA, often due to cybersecurity-related shortcomings. The FDA’s latest guidance is intricate, and software engineers, though highly skilled, are not always well-versed in cybersecurity or regulatory expectations.

Historically, software development in the medical device space focused primarily on clinical functionality and usability. However, with the rise in cybersecurity breaches at medical facilities over the last decade, the landscape has changed significantly. Regulators and healthcare institutions are increasingly prioritizing cybersecurity. In fact, Congress mandated the FDA to enforce medical device security through the Food and Drug Omnibus Reform Act of 2022. The medical device development community is still adapting to this shift, and that’s where we often step in.

A thumb displaying a thumbprint is being pressed against a authentication computer screen with cybersecurity locks to the right of it.

Cybersecurity revolves around identifying vulnerabilities and assessing the risks they pose. Importantly, cybersecurity requirements vary widely depending on the device. For instance, operator authentication is critical for some devices, while others prioritize accessibility.

A great example is the Automated External Defibrillator (AED)—its design mandates immediate access for anyone, regardless of authentication. Conversely, devices that handle patient data must incorporate strong user authentication to protect sensitive information. Nearly all devices include some level of privileged access for administrative or field service personnel, and such access must be properly secured. Gone are the days of hard-coded service passwords—these are now considered a significant security risk and are strictly prohibited. While there are common expectations across all devices, each product has unique cybersecurity considerations.

A "Caution Gap" sign painted on the floor cautioning people to watch their step in front of the train railways.

That’s why we begin every project with a Cybersecurity Gap Analysis. This analysis aims to uncover:

  1. What cybersecurity features or practices are missing in the system, and
  2. What documentation is lacking in the FDA submission materials regarding cybersecurity.

Medical devices run the gamut from simple embedded systems to complex, cloud-connected instruments. The associated cybersecurity risks range from negligible to life-threatening. Unlike enterprise IT systems, medical devices often require customized, device-specific security strategies. Therefore, understanding the threat landscape and associated risks is the essential first step.

AED machine sitting next to an open laptop

Similarly, our clients vary greatly in their cybersecurity maturity. Some possess a well-documented, robust cybersecurity framework and simply request a final review. Others have implemented minimal security measures and lack supporting documentation.In fact, the more advanced a client’s implementation, the more nuanced and challenging the gap analysis becomes—like identifying hairline cracks instead of wide gaps.

Some clients opt to receive only the gap analysis and our documentation templates, continuing the process independently. Others prefer a more collaborative approach, relying on us to develop their full set of submission materials. Each engagement is tailored to the client’s unique needs and context.

Circle logo in green that says FDA Approved.

In summary, the Cybersecurity Gap Analysis serves as the foundation of our cybersecurity consulting services. It allows us to gain a comprehensive understanding of a client’s system and regulatory posture, and to provide actionable insights that guide their path to successful FDA submission.

Need help on this topic?
Contact Us
Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science and following with Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.  

Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

linkedin logo
SUBSCRIBE TO
NEWSLETTER
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
ABOUT
PROMENADE SOFTWARE

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade's Quality Management System is ISO 13485 certified. Our Cloud systems are  SOC2 Type II certified.