What will the future be for software as a medical device (SaMD) and cybersecurity? Manufacturers need to identify cybersecurity issues with their medical devices because incidents have become more frequent, severe, and impactful. 

In this episode of the Global Medical Device Podcast, Etienne Nichols talks to Chris Gates, Director of Product Security at Velentium and author of Medical Device Cybersecurity for Engineers and Manufacturers.

Chris has more than 30 years of experience developing and securing medical devices for device manufacturers and collaborates with regulatory and standardization agencies to present, clarify, and systemize tools, techniques, and processes that enable the creation of secure medical devices.

Some of the highlights of this episode include:

• Although the FDA understands the importance of updating cybersecurity guidance, it should tie the documents to real standards from ISO and EU MDR, rather than only referencing consensus standards for global harmonization.
• To make secure medical devices, a standard cybersecurity requirement needs to be created for manufacturers to do it the same way based on research and tools.
• During the development portion of the product life cycle, manufacturers need to identify threats. However, if there is not a workable requirement and the developer does not know what to do or not do, then nothing is done but ignored.
• Manufacturers have to look for the vulnerabilities or end-root cause of all exploits and threats during development. Vulnerabilities occur during the design, implementation, and use of third-party software components.
• Software Bill of Materials (SBOMs) need to be readable and consumable. An asset management system needs to be built in to address risk mitigation.
• When buying medical devices, health delivery organizations (HDOs) want SBOMs, support, and other cybersecurity expectations included in contracts.
• Find out what you need to do to create secure medical devices. At the very least, look at it as a competitive advantage in the industry.

Memorable quotes from Chris Gates:

“I want something that’s workable, something that’s harmonized.” 

“What you have to look for are the vulnerabilities or the end-root cause of all exploits and threats.” 

“We want SBOMs. We want people to talk to. In case of a breach, we want some help.” 

“Take a look at what you need to do to be a good corporate citizen and create secure medical devices. At the very least, look at it as a competitive advantage in the industry.” 

Links:

Velentium

Medical Device Cybersecurity for Engineers and Manufacturers

FDA - Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

FDA - Quality Management System Regulation (QMSR)

International Organization for Standardization (ISO)

European Union - Medical Device Regulation (EU MDR)

Protecting and Transforming Cyber Healthcare (PATCH) Act

Supply Chain - Cybersecurity and Infrastructure Security Agency (CISA)

NIST Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Software Bill Of Materials - National Telecommunications and Information Administration

Software Bill of Materials - CISA

OWASP CycloneDX Software Bill of Materials (SBOM) Standard

CycloneDX Tool Center

International Open Standard (ISO/IEC 5962:2021) - Software Package Data Exchange (SPDX)

Medcrypt

Cyber BOM (SBOM) Management - Cybellum

SBOM Use Case - RKVST

The Greenlight Guru True Quality Virtual Summit

Greenlight Guru YouTube Channel

MedTech True Quality Stories Podcast

Greenlight Guru Academy

Greenlight Guru

Global Medical Device Podcast Email