Nidhi Gani, a seasoned regulatory affairs professional with expertise in cybersecurity, medical devices, and digital health, recently appeared on the “Left to Our Own Devices” podcast to share her experiences and insights. With over a decade of experience in the field, Gani has worked with various medical devices, including heart and lung machines and rehabilitation devices. Currently, she serves as a Regulatory Affairs Software and Cybersecurity professional at Embecta and is a Cybersecurity Fellow at the Archimedes Center for Health Care and Medical Device Cybersecurity at Northeastern University.
During the podcast, Gani discussed the evolving landscape of regulatory affairs for medical device manufacturers, emphasizing the increasing demand for reliability and transparency in relation to cybersecurity. She explained how she was initially drawn to regulatory affairs while pursuing her studies in biology and immunology in the United States. As she gained a deeper understanding of the medical ecosystem, she realized the importance of regulatory affairs in helping companies navigate regulatory obstacles and bring their products to market more smoothly.
In the earlier years of her career, Gani faced challenges in collaborating with teams and other professionals in the field. Engineers and team members often viewed regulatory affairs as intrusive, creating difficulties in leading without direct authority. Before the implementation of cybersecurity measures, regulatory affairs professionals primarily provided internal recommendations that were not enforceable. Engineers and team members sometimes hesitated to disclose crucial information. However, Gani emphasized the strategic value of regulatory affairs in product development and regulatory approvals when utilized effectively. By highlighting the benefits and explaining regulations, regulatory affairs professionals can act as catalysts for the success of a product.
This initial resistance was particularly evident in startups, where proprietary technology holds significant value. Gani had to adapt her approach when working with such organizations, especially when new regulations emerged. She recalled early experiences in the field when software and cybersecurity regulations were still developing. Bridging the gap between regulators and the product development team required her to quickly grasp emerging requirements before they were tested by other organizations. Even today, Gani emphasizes the importance of educating and involving stakeholders in the regulatory process.
An example highlighted during the podcast was Gani’s involvement in obtaining FDA approval for iCAD, Inc.’s breast cancer detection technology. Unlike traditional medical devices, this product relied on software as a service (SaaS) and operated within the hospital’s internal network. Ensuring an acceptable level of security was crucial for iCAD, and Gani played a vital role in preparing the software for regulatory compliance. This involved reaching out to various stakeholders and building risk management plans based on the recognized NIST framework. Gani emphasized the flexibility and adaptability of the medical device industry, allowing companies to build quality management systems tailored to their needs.
Gani also discussed the impact of the Omnibus bill on medical device cybersecurity regulations. The FDA now has legal authority to require minimum cybersecurity standards for all devices seeking market approval. Rather than treating cybersecurity as an optional addition, it has become a core aspect of the technology. Gani highlighted the significance of security-related bills and the increasing use of Software Bill of Materials (SBOMs) in understanding device components and vulnerability. The conversation expanded to emphasize the continuous nature of cybersecurity, akin to safety systems. Vulnerability disclosure, patching, and updating are essential aspects of maintaining device security.
Regarding global cybersecurity regulations, Gani acknowledged the efforts of various countries and continents in developing their own measures. She noted that the pandemic accelerated technological advancements, leading regulators to catch up and establish regulations in response. Harmonizing medical device cybersecurity standards aims to save costs for manufacturers. However, Gani emphasized the need to address broader questions related to data storage and cross-border data movement.
In summary, Nidhi Gani’s appearance on the “Left to Our Own Devices” podcast shed light on her expertise and experiences in the field of regulatory affairs for medical devices. Her insights demonstrate the importance of strategic collaboration between regulatory affairs professionals, engineers, and other stakeholders. Furthermore, Gani highlighted the evolving regulatory landscape and the increasing significance of cybersecurity in medical devices. The conversation touched upon the recent Omnibus bill and the global efforts to establish cybersecurity regulations.