Less than two months ago, the Food and Drug Administration (FDA) issued new cybersecurity guidance for medical devices as a follow-up to the Omnibus funding legislation adopted by Congress in December 2022.
On our latest (and 18th!) episode of our podcast, IoT: The Internet of Threats, we welcomed back Larry Pesce, Director of Product Security Research and Analysis at Finite State, to discuss these changes to the FDA's cybersecurity regulations for medical devices.
"The biggest change comes down to that initial submission where the FDA now has that initial right to refuse. You need a plan for ongoing maintenance, to be mindful of the security industry and new vulnerabilities, and a plan for patching," Larry explains on the episode.
New guidance now requires medical device manufacturers to submit a plan on how they will monitor, identify, and address cybersecurity issues within their devices. In addition, manufacturers must create a process that offers reasonable assurance of device protection from cybersecurity threats, including plans for regular security updates and ad-hoc fixes for critical situations.
In a new twist, the FDA now requires manufacturers to provide a cyber bill of materials (CBOM), including a software bill of materials (SBOM) and a hardware bill of materials (HBOM) with their premarket submissions. The CBOM is significant as it allows for better tracking of potential vulnerabilities in specific hardware components, adding another layer of security to the devices.
How prepared are medical device manufacturers for this change?
As Larry points out, this will depend on the individual manufacturer. Some already go above and beyond the requirements due to a strong sense of pride in their work, while others may be driven more by the risk of liability.
The biggest change, according to Larry, comes down to the initial submission to the FDA. If a manufacturer doesn't have a comprehensive plan for ongoing maintenance or a robust CBOM at the time of submission, the FDA now has the right to refuse to accept (RTA) the application.
Asked whether manufacturers will need to invest significant effort to meet these new requirements, Larry says this will depend on their current practices. Some may already be doing some of this work, but perhaps not to the depth that is now required. Others may need to put in more effort to meet these new standards.
Interestingly, Larry points out that some manufacturers who have already experienced cybersecurity compromises might be better prepared for these new requirements. These companies have learned the hard way the importance of taking cybersecurity seriously and are likely further ahead in their processes.
To find out more about the future of cybersecurity in medical devices, and to hear Larry's insights in full, tune into our latest podcast episode.
It's a compelling exploration of a rapidly evolving field that is set to transform the medical device industry.
In this episode, Eric and Larry discuss the:
All episodes of Finite State’s “IoT: The Internet of Threats” podcast can be heard on Spotify, Apple Podcasts, and Google Podcasts.
Listen to this episode in its entirety below!