Interview with a specialist in security regulations for medical devices, Seth Carmody
Threat modeling is gradually finding its way in the R&D processes of medical devices, with the FDA being one of the main driving forces. We had a conversation with Seth Carmody, Vice President of Regulatory Strategy at MedCrypt and former Cybersecurity Program Manager, Medical Devices at FDA.
Drawing on his ten years of medical device experience, Seth provides strategic direction for cybersecurity products and services for the regulated medical device market. At FDA (U.S. Food and Drug Administration) he spent 8 years architecting technology policy and laws that impact software-enabled medical devices, such as the FDA’s medical device cybersecurity policies.
Can you describe your background and how you got into medical device cybersecurity?
“I studied organic chemistry in graduate school, which prepared me well for an opportunity at FDA to work in diabetes devices. Part of my role at FDA was to review software for these medical devices.
In 2013, a security researcher submitted their research to us; this research included hundreds of devices. In that time the Center for devices, had no mechanisms, policies, let alone expertise to deal with this information. The group charged with the task of dealing with all the research information came to me and said, ‘Hey Seth, you like software, don’t you?’, and handed me the files. That launched me into an incident response role which evolved to include technology policy so that we could get ahead of post-market issues. It’s through these roles that I picked up a lot of knowledge about cybersecurity for medical devices.”
What is your experience with threat modeling?
“As a practitioner, very little. However, the advantage of not being a specialist is that you are able to see the big picture about how threat modeling fits within the existing medical device regulation. I remember the conversations with experts in 2014 about how threat modeling was going to be important. If you look to the FDA postmarket guidance that was finalized in 2016, you will find in the appendix a section on threat modeling. At the time my conception of where it would fit in the world was not really solidified.
In the 2018 draft premarket guidance and the re-release of that draft in 2022, you see that threat modeling is taking on an increasingly important role, as the driving force for everything else regarding medical device security. That has been my evolution as a policy writer. You feel something is important, but you do not know where it exactly fits and how important it will be, but gradually you learn by observation and from other experts where it fits. Threat modeling has really become the security risk assessment staple.”
What is the relation between threat modeling and other security activities as part of the FDA guidance?
“If you are a professional in IT security, you have a world that is very mature. In the medical device space, we are really in a transition period. Medical devices have always been built without security in mind. That is not because of some miss on the part of the medical device manufacturers, they just focused on delivering the best medical features. That was their core business. Now we are in a transition period where security features should be considered in the early stages of the R&D processes. You see that threat modeling is a centerpiece within that transition period and it drives decisions about the security controls that should be implemented.
Medical devices typically do not come with standard security controls. Threat modeling helps to define and crystalize the security controls needed to assure medical device cybersecurity.
Another important pillar is making clear what the value of threat modeling is for the business. It is the main struggle that security specialists are dealing with. Some medical device manufacturers ask themselves why they should take the effort and how it will benefit the business. We must make it clear that, although it might be an extra cost in the development stage, it will pay off later on, in terms of reputational savings and forced redesigns in the future.”
What is your prediction for the final version of the FDA Guidance on Cybersecurity in Medical Devices and when will it become “active”?
“The draft was finalized in 2022 and the commenting period ends in the beginning of July. It will take a month or two for the internal team at FDA to process all the comments and alter the document where needed. It will go through different layers of review before it is passed to the official guidance clearance process. That will be sometime around the fourth quarter of this year.
The final approval process takes up another nine months. So, we are looking at Q3 of 2023.
However, some things can influence the timeframe.
During covid the health care sector was mainly focused on fighting the pandemic, leaving fewer resources in commenting, editing and approving guidance documents. So, things like that delay the whole process dramatically.There are also other factors that can compress the approval period. If the U.S. President or the US FDA Commissioner, Robert Califf, state that the policy is important to get out, it can move a lot faster. If the Commissioner expedites the clearance process, we could see it finalized in October 2022, if not I would say Q1 of 2023.
You are a contributor and bootcamp facilitator of the MDIC – Playbook for Threat Modeling Medical Devices. What is your take-away from this?
“The playbook was co-built by lots of industry experts, but primarily facilitated by the MDIC (Medical Device Innovation Consortium), MITRE, and FDA. MDIC is a consortium that is funded by the industry, working on industry-wide problems. For me it was obvious that threat modeling is one of those industry-wide problems that needs an industry-level effort.
We launched a project with different stakeholders and manufacturers with the aim to make a playbook, with examples, that help people through the threat modeling process.
The takeaway from it is twofold.
To be successful in this industry, we need an army of threat modelers. We need specialized people that really get threat modeling and are in that security minded space. And we also need a thin layer of threat modeling for everybody, maybe even you. If you stimulate everybody to start thinking in a threat modeling way, it will raise the bar and the level of security for medical devices and medical technology. If a regulatory affairs person receives threat modeling training, and they see the engineers come up with some piece of documentation with respect to cybersecurity or threat modeling, they will understand the value of this. It builds a security minded foundation for everyone.
The MDIC Playbook is a good start in terms of rallying different stakeholders around the issue of threat modeling and working through some of the issues. The goal is to raise the bar a little bit and try to pass through the built-up knowledge to the rest of the industry.”
What is your recommendation for any medical device manufacturer who considers a pre-market submission?
“There are a few factors that contribute to what I would call the uncertainty for anyone who is looking to submit.
First, the 2022 guidance is in draft and not for implementation. So technically, the only guidance that is valid for implementation is the 2014 version, which is solid, but insufficient. The catastrophic impact of cybersecurity issues which we have seen recently – think WannaCry – tells us that we cannot wait to start implementing threat modeling.
Basically, when you submit as a manufacturer before the official release of the new guidance, you may get a reviewer that says “show me your threat model” or you may get a reviewer that does not.
I would recommend medical device manufacturers to always do a pre-submission. It’s a cost-free submission to the FDA to ask any question you want. You can send in your threat model, ask questions, and get feedback. Or just ask them what they expect in terms of threat modeling. That way you get information before you submit.
If you submit and the FDA tells you they need a threat model, you will have to dive in. Luckily, that does not have to be complicated. With the right focus and the right people, you will arrive at something that will hit all the major risks and cover them in a reasonably short time. It is a continuous process, but you can start pretty easily, and you will get something that will be submittable to the FDA.”
How can we make threat modeling more effective for a medical device development team?
“As said before: we need more threat modelers, so a training that is focused on the medical device space would benefit the industry greatly. And for that, we can draw on training that is already built.
Secondly, the value of threat modeling should be articulated. We have to come to a point where medical device developers automatically say: ‘We need security controls here, here, and here. How do we do it? What will it cost? How much time will it take to implement?’ These are all important questions for the business that are trying to meet market demands.”
Guest article by Seth Carmody
