1. You are here:
  2. Homepage
  3. News & Insights Search
  4. Regulatory professionals really can’t ignore cybersecurity anymore

 

RAPS' Latest
April 12, 2024
by Ryan Connors

Regulatory professionals really can’t ignore cybersecurity anymore

The barrier to obtaining market entry for a medical device isn’t what it used to be.

It’s higher.

And for device submissions, a large number of questions a manufacturer may get through the submission process can end up being related to an area where many regulatory professionals have scant experience: cybersecurity.

Michelle Jump is a RAPS member and serves as the CEO of MedSec, where she is responsible for providing strategic leadership, training, and advisory services to the medical device industry for cybersecurity. She joined RAPS for a conversation about the role of cybersecurity in regulatory affairs, the importance of learning about cybersecurity, and what attendees will learn at her upcoming Cybersecurity Unauthorized workshop. This conversation has been lightly edited for clarity.

Michelle is the lead presenter at Cybersecurity Unauthorized, a workshop on 10-13 June, where she will present along with FDA Cybersecurity Policy Analyst Matthew Hazelett.

Why is cybersecurity an important topic for regulatory professionals to learn about?

Cybersecurity has become an extremely important part of any regulatory submission for a medical device that contains software. The bar for a medical device successfully complete a submission process in the US or internationally has risen significantly. What is expected for a medical device for obtaining market entry has gone up quite a bit, and of all the deficiencies a submission may get, a large proportion of those are cyber. Part of this is because the threat environment for medical device security and the overall critical infrastructure of healthcare has gone up significantly. And part of this is that regulators are learning more about what constitutes a secure device.

Medical device manufacturers are futher challenged by new hires coming into the medical device industry who are technical experts in cybersecurity, but they may not really understand the regulatory aspects. The rules for regulated environments are different than the general rules of just good cybersecurity technology and practices. And so, when we look at successful submissions and successful projects that go through a medical device manufacturer, it is regulatory professionals who really understand what is expected in a cybersecurity submission coupled with technical professionals who can help create those documents and design those products with cybersecurity in mind.

What are some ways that a lack of cybersecurity knowledge can hurt a regulatory professional or their company? 

Regulatory professionals who have avoided really understanding the regulatory guidance around cybersecurity or software or any of those technical areas because they don't feel technically qualified are adversely affecting their ability be a successful partner to their technical teams. Their submission can go significantly at-risk if they do not sufficiently prepare and try to understand the documentation that's coming from those teams, because if they can't understand, as the regulatory professional who's read the guidance and understands the basic concepts, then you can't expect the regulator to understand it as well.

So, if you think about it from a reviewer point of view, if your documentation is maybe technically accurate but not very easy to read, or not very easy to understand, then you're going to end up with deficiencies and questions and it's going to delay your submission or even put the submission at risk.

What will attendees learn at RAPS’ Cybersecurity Unauthorized workshop?

The workshop that we've developed for RAPS is kind of unique. It goes over what should be in a product security program overall—so what kind of supporting infrastructure should you have in your quality system to be able to produce the deliverables that need to go into your submission? The most important part is that you're generating these documents as you're developing the device, not generating these documents for a submission. This should be part of the infrastructure of your product development process. And so, we go over, what does a good product security program look like? All the elements, I call them pillars, right? You have a governance pillar, a risk management pillar, a secure design pillar, and a postmarket pillar.

All of these things are very important. If you miss any one of them, you're likely to get not only a deficiency, but a deficiency with a lot of parts to it and trying to answer those when you haven't provided the basic information can be really challenging. So, we go over, “What does the product security program look like?”

But I think one of the unique parts of the RAPS Cybersecurity Unauthorized program is that we also have partnered with key leaders from the FDA who come and talk very frankly about what do you do to prepare for a good submission. And you get the opportunity to interface with folks who've been directly related to the policy development of the guidance that we have to follow every day as regulatory professionals.

So, you get to hear directly from them interpreting what they're asking for, and you get the opportunity to ask them questions. They go over the guidance documents, they go over submission preparation and pre-submission preparation and all the things that we really want you to know to be a successful regulatory professional covering cybersecurity issues in your submission, as well as other areas of audits and other things where you have to defend that your security has been put in place properly.

Who is this workshop intended for? Who might benefit from attending?

We get a wide variety of attendees. Some folks might think that it's typically just your regulatory professionals that come in, but we typically have a mix of technical folks, regulatory folks, quality folks, and even some leaders. If I were leading a regulatory group within an organization or even an R&D group within an organization, I would take this course.

I was just asked recently by someone to deliver a training course internally for them because they wanted their decision makers to be well-informed so that they can make important decisions on the design, pathway, resources, distribution and focus areas. And so personally, I think that leaders should also be taking this course because it explains to them—and they get to hear it directly from the regulators—what the regulators want to see as well as what their programs should look like. So, leaders of organizations should understand what is expected of them, as well as those people delivering the submissions and owning the submissions, and people in the quality side and people in the technical side. All of those groups need to work together to appropriately resource, deliver and defend the design of their device and their plan for marketing it.

Learn how to navigate the challenging environment of cybersecurity for regulatory and quality.

Secure your seat for RAPS' Cybersecurity Unauthorized workshop today. 

Related topics

Digital health/SaMD/AI Medical Devices
Return to listing

Recommended content

Regulatory Affairs Professionals Society (RAPS)
5635 Fishers Lane, Suite 400
Rockville, Maryland 20852

Telephone: +1 301 770 2920
Fax: +1 301 841 7956

Email:  [email protected]

Design & Development by Pixl8
Membership software by ReadyMembership

Regulatory Affairs Professionals Society (RAPS)

© 2026 Regulatory Affairs Professionals Society

×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.