Shifting Sands of SaMD Cybersecurity Regulations

FDA has issued new draft guidance on cybersecurity for software as a medical device (SaMD). If the FDA releases that draft guidance ‘as is,’ it will massively and negatively impact the SaMD industry and it’s imperative that manufacturers understand how to prepare. In this episode of the Global Medical Device Podcast, Etienne Nichols talks to Chris Gates, director of product security at Velentium, about the shifting sands of medical device cybersecurity regulations for SaMD. Some of the highlights of this episode include:Chris views the FDA’s recent activity around cybersecurity requirements, regulations, and laws for SaMD as a necessity because manufacturers cannot seem to self-regulate. The Protecting and Transforming Cyber Health Care Act (PATCH) will give the FDA a direct mandate to manage the cybersecurity of medical devices.However, a clause in the PATCH Act allows for cybersecurity to extend to all existing legacy medical devices—not just new devices entering the market.As medical device manufacturers (MDMs) become aware of the clause, it’ll have a huge impact. MDMs will likely end support for device lines due to high costs. The biggest issue with the new guidance consensus vs. regulatory standards is alignment with software bill of materials (SBOM) tools.The most effort-intensive part of the new draft guidance is ongoing testing of anomalies to determine if they can be turned into vulnerabilities. The industry will be unable to keep up with additional testing because of resources and demand.All this added burden will be placed on MDMs at the cost of marginal improvements in cybersecurity. So, there’s no real benefit to the manufacturer.Structure a standard by not creating something brand new that is ill/undefined but align best practices to create secure medical devices.Memorable quotes from Chris Gates:“Legally-backed cybersecurity requirements by a regulatory agency are necessary to ensure secure devices are entering the marketplace and hopefully replacing the insecure legacy devices.”“This clause is going to have a huge impact on medical device manufacturers (MDMs) and I find it amazing how many MDMs are completely unaware of this.”“An SBOM is a software bill of materials. It’s an ingredients list for your application.”“This isn’t just one-and-done testing in your life cycle.”“You’re going to have a lot of extra work coming your way.”Links:Medical Device Cybersecurity for Engineers and ManufacturersRegulations (Submit comments to the FDA)Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket SubmissionsPATCH ActInternational Electrotechnical Commission (IEC)ISO (International Organization for Standardization)International Medical Device Regulators Forum (IMDRF)