On November 30, 2021, the U.S. Food and Drug Administrations (FDA) announced the release of a new playbook to assist medical device manufacturers in developing and evolving threat modeling approaches to strengthen the cybersecurity and safety of their products.
The new “Playbook for Threat Modeling Medical Devices,” commissioned by the FDA and co-authored by MITRE Corporation and the Medical Device Innovation Consortium, discusses best practices to help manufacturing organizations better understand threat modeling concepts and processes and how to apply them to medical devices (see: FDA’s Kevin Fu on Threat Modeling for Medical Devices).
What Should Medical Device Sponsors Know?
The resource is not intended to be prescriptive in terms of describing only one approach to threat modeling. Rather, it was developed in large part through insights emerging from a series of threat modeling boot camps conducted in 2020 and 2021 for medical device manufacturers by MITRE and MDIC, with engagement from the FDA.
“Threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics,” the playbook notes, adding that it is “agnostic” about specific methodologies, and instead illustrates how different methodologies can be used, alone or in combination, to answer four key questions:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
“When you perform threat modeling, you begin to recognize what can go wrong in a system,” the playbook indicates. “It also allows you to pinpoint design and implementation issues that require mitigation, whether it is early in or throughout the lifetime of the system.”
The output of the threat model informs decisions to make in subsequent design, development, testing and post-deployment phases. The playbook clarifies that the use of its information is voluntary and that the document does not constitute FDA guidance or enforceable policy.
How can NAMSA Help?
Navigating the U.S. FDA regulatory landscape can be overwhelming for any medical device manufacturer – not to mention very cost-intensive. That’s why having the right partner, at the right time, can be invaluable in achieving regulatory requirements, market success and accelerated timelines.
Does your software product meet FDA’s definition of a medical device? At NAMSA, our team of regulatory experts have SaMD, AI/ML and cybersecurity experience with a variety of software devices and can guide you through the challenges of this unknown regulatory environment to get your product to market in a timely manner.
NAMSA is the industry leader in driving successful regulatory outcomes through effective interactions with the FDA. In fact, our internal teams of medical device development experts communicate with the FDA nearly every day. From Pre-Submission meetings – to Pre-IDE preparation – and FDA inspection preparation and SAMD/AI/ML reviews, Cybersecurity our teams are the most experienced in industry at accelerating regulatory submissions and approvals for device manufacturers. This expertise is proven to save medical device organizations up to $17M in costs and 23 months in development timelines.
If you are interested in speaking with us about FDA-related activities or other global regulatory strategies, please contact us at: https://www.namsa.com/contact-us.
Monica R. Montanez
Monica R. Montanez, MS, RAC, CQA currently serves as NAMSA's Principal Strategy Consultant. Monica has over twenty years’ experience in the medical device industry in Regulatory Affairs and Quality Assurance. Her primary focus is navigating the regulatory pathways for electro-mechanical and software driven medical devices worldwide. She has received clearance of many 510(k)s and approval of new indications for PMA device(s) of which 90% involved software. She has broad regulatory expertise in several areas of digital health, including: Software in a Medical Device (SiMD), Software as a Medical Device (SaMD), mobile medical apps, clinical decision support software, telehealth, artificial intelligence, machine learning, interoperability, cybersecurity and human factors engineering, including wireless medical devices -radio frequency (RF), electromagnetic compatibility (EMC) and electromagnetic interference (EMI). While in industry, she assisted in the development of FDA 510(k) guidance and FDA Software guidance directly with FDA. Monica holds a Masters of Science (MS) degree in Regulatory Science (RS) from the University of Southern California (USC) School of Pharmacy. Currently. she holds Regulatory Affairs Certification (RAC) from the Regulatory Affairs Professionals Society (RAPS) and Certified Quality Auditor (CQA) from the American Society for Quality (ASQ).