FDA Cybersecurity Gets Real with Monica Montañez of NAMSA

Key takeaways

• Since September 2023, the FDA can reject medical device submissions that do not adequately address cybersecurity, per the FDORA legislation.
• The FDA defines a "cyber device" as any medical device with software that has the capability to connect to a network, including via USB, Bluetooth, or RFID, beyond just Wi-Fi or Ethernet.
• Manufacturers are frequently unprepared for the detailed cybersecurity documentation now required, leading to submission delays and rejections.
• Disabling a hardware feature, such as Bluetooth, is insufficient unless manufacturers validate and prove it is securely disabled and cannot be re-enabled.
• Cybersecurity must be integrated throughout the entire product development lifecycle, on par with sterility and biocompatibility, not as a final checklist item.
• The FDA now requires specific documentation for submissions, including a security risk management report, a threat model, and a Software Bill of Materials (SBOM).

In this episode of the Med Device Cyber Podcast, host Christian Espinosa and co-host Trevor Slattery are joined by Monica Montanez from NAMSA (North American Scientific Associates) to discuss the evolving landscape of medical device cybersecurity. The conversation centers on the significant changes manufacturers face following the updated FDA regulations effective September 2023. Monica introduces NAMSA as a Contract Research Organization (CRO) that provides comprehensive consulting services for medical device manufacturers, covering everything from regulatory and quality assurance to pre-clinical studies, biocompatibility testing, and product commercialization strategies. She notes that while NAMSA serves a range of clients from startups to large multinational corporations, many startups in the Software as a Medical Device (SaMD) and AI/ML space are particularly impacted by the new cybersecurity mandates.

The core of the discussion revolves around the transition of FDA cybersecurity guidelines from recommendations to enforceable laws. Monica explains that prior to the Food and Drug Omnibus Reform Act of 2022 (FDORA), the FDA could only suggest cybersecurity measures. Now, the agency has the legal authority to reject submissions—a "Refuse to Accept" (RTA) action—if cybersecurity is not adequately addressed. This shift has caught many manufacturers off-guard, as they are now required to provide extensive documentation, including security risk management reports, threat models, and vulnerability assessments, which were not strictly enforced before. The hosts and guest explore the ambiguity in FDA guidance, which often uses the term "recommend" for what are now de facto requirements. This vague language has created confusion, especially for new and small-scale manufacturers who may not have dedicated cybersecurity expertise.

A key point of contention is the broad definition of a "cyber device." The panel clarifies that this term applies not just to devices with direct internet connectivity like Wi-Fi or Ethernet, but to any device that has the ability to connect to a network. This includes devices with USB ports, Bluetooth (even Bluetooth Low Energy), and RFID capabilities. Trevor Slattery highlights a common pitfall where manufacturers disable a feature like Bluetooth but fail to prove it is securely disabled, leaving the hardware present and vulnerable. Such oversights, often discovered during testing, are a frequent cause of submission delays. The podcast emphasizes that cybersecurity must be integrated into the entire product development lifecycle, similar to sterility and biocompatibility, rather than being treated as a final checklist item before submission. The discussion concludes that manufacturers must proactively adopt a secure software development framework to meet these stringent new standards and avoid costly regulatory setbacks.

Key Takeaways

• Since September 2023, FDA cybersecurity guidelines for medical devices are no longer just recommendations but are legally enforceable under the FDORA legislation, giving the FDA the authority to reject submissions.

• A "cyber device" is broadly defined as any medical device with software and the ability to connect to a network, including via interfaces like USB, Bluetooth, or RFID, not just Wi-Fi or Ethernet.

• Many manufacturers, particularly startups and those new to the field, are unprepared for the increased cybersecurity documentation required, leading to submission rejections and delays.

• Simply disabling a hardware feature, such as Bluetooth, is insufficient. Manufacturers must validate and prove that it is securely disabled and cannot be re-enabled, as the physical presence of the hardware still constitutes a potential vulnerability.

• Cybersecurity needs to be a core part of the entire product development lifecycle, treated with the same importance as sterility and biocompatibility, rather than an afterthought.

• The FDA now requires extensive documentation for submissions, including a security risk management report, a threat model, and a Software Bill of Materials (SBOM).

• Adherence to standards like IEC 62304 for the software development lifecycle is critical, but it must be supplemented with specific cybersecurity guidance from the FDA to ensure compliance.

• The FDA's language can be ambiguous, often using "recommend" for what are effectively mandates. Manufacturers should treat these recommendations as requirements to avoid a "Refuse to Accept" (RTA) notice.

Listen on mdcpodcast.com · Watch on YouTube