Championing cybersecurity regulatory affairs with Nidhi Gani
Nidhi Gani is a seasoned regulatory affairs professional with over a decade of experience in cybersecurity, medical devices, and digital health. She’s worked with devices ranging from heart and lung machines to rehabilitation devices. Nidhi works at Embecta as a Regulatory Affairs Software and Cybersecurity and is a Cybersecurity Fellow at the Archimedes Center for Health Care and Medical Device Cybersecurity at Northeastern University. She joined the Left to Our Own Devices podcast to share her experiences and her insights.
The world of regulatory affairs for medical device manufacturers has undergone a seismic shift in recent years as regulators demand more reliability and transparency from medical device manufacturers– especially surrounding their cybersecurity.
On the podcast, Nidhi Gani explained how she came to the US to continue her studies in biology and immunology and discovered regulatory affairs along the way. As she learned more about the greater medical ecosystem, she discovered her calling in this growing niche that would help companies reach the market with less regulator friction.
Regulatory Affairs as a strategic partner
In the earlier years of her career, before the FDA’s Pre-Market guidelines for cybersecurity, the cooperation between teams and regulatory affairs professionals was challenging.
Engineers and other team members perceived Nidhi’s role as intrusive. “As a regulatory affairs professional, one of the major challenges you face would be to lead without authority,” said Nidhi. Before cybersecurity measures were required, regulatory affairs were stern internal recommendations that were not necessarily enforceable. “Many times, there are engineers and the team does not completely want to reveal information.”
Acknowledging this reality and taking the time to understand the full structure of the organization you are in, lots of headway can be made. Nidhi said “Regulatory affairs is seen as an inhibition. But, if you use regulatory affairs strategically, they can be a very good catalyst towards your product development as well as regulatory approvals.”
This initial resistance was especially true with startups whose value is held within its proprietary technology. Leakage of that information could mean the end of the company before it gets off the ground. This required her to shift the way she worked with these organizations and many times learn about new regulations on her feet.
An example of this was when she first entered the field and was working on variables. The software and cybersecurity regulations were not yet fully formed. All new regulations were new, so bridging the gap between regulators and the team required her to build a working understanding of what was necessary before they were tested by other organizations.
Even today, it’s about bringing people into the fold, explaining the regulations and the benefits of following them.
Working to gain iCAD’s FDA approval
In March 2021, iCAD, Inc. gained FDA approval for a breast cancer detection technology. This news traveled well beyond the medical community since it was the first AI/ML algorithm to gain such approval.
Nidhi explained how this presented a unique opportunity because, unlike a traditional medical device that could be taken offline for updates or routine maintenance, this was a SaaS product that lived in the hospital’s internal network. “It is an incredible technology because it was the first algorithm that was cleared by the FDA and that program. “The challenges of that device are multifold because more than the device itself posing or having cybersecurity vulnerabilities, it was the network that it would be exposed to and also during troubleshooting and customer service as well.”
Obtaining a level of security that iCAD found acceptable still took time even after they gained FDA market clearance.
This was before the Omnibus bill, which took the FDA’s power to enforce cybersecurity guidelines to a different level. It was up to her to prepare the software to be regulatory-ready and remain compliant in the future. She achieved this feat by reaching out to people who she knew would not be excited to hear from her and learning to identify all the different aspects of the company.
Once she had the framework of all assets, she built risk management plans based on the NIST framework, she collected enough data to understand the company’s posture and begin implementing programs. “That, I think, is the beauty of the medical device industry because you can build your quality management systems in the way you can rationalize as well.”
Nidhi leans on the strength of Product Security Management Systems, where vulnerabilities, risks, and other security-related challenges can be discovered and managed.
Omnibus and regulations
In the past, the FDA had guidelines on what they’d like to see regarding cybersecurity in medical devices. Today, after the passing of December 22’s Omnibus bill, the FDA has the legal authority to require minimum cybersecurity standards across all devices wanting market approval. Not as a bolt-on, but as a core aspect of the technology.
When it comes to the FDA’s Refuse to Accept (RTA) policy, the right for the agency to refuse approval to any non-cyber compliant device, the interview turned to how SBOMs are front and center. They covered how these bills play a critical role in understanding what’s in each device and what components are vulnerable to attack– something that could have protected many devices during Log4j.
The conversation then dove deeper into how just as safety systems are continuously tested, never a one-and-done task, security systems must be the same. “When you’re looking at vulnerability disclosure, you’re also looking at patching and updating,” said Nidhi. This brings security into the same realm as safety, with parameters on what should be updated and what should be recalled, what is the risk, and so on.”
Looking beyond the United States to how other countries are working on their own measures, Nidhi said: “I think most countries and continents are following suit and producing their own cybersecurity regulations and AI SMD regulations because technology has been moving forward after the pandemic, or rather, it has accelerated the growth by at least a decade, and the regulators are catching up and they’re doing a good job.”
Ultimately, regulation is about working in citizen’s best interest while allowing industries to continue to grow and innovate. Harmonizing medical device cybersecurity standards is saving costs for manufacturers, but Nidhi stresses that there are greater questions about storing data and moving it across borders that must be addressed.