CDRH cyber chief on compliance with new rules, ongoing security threats

This audio is auto-generated. Please let us know if you have feedback.

For nearly two years, medical device companies have adhered to stricter cybersecurity requirements after Congress established new rules for manufacturers and granted the Food and Drug Administration increased authority to enforce them.

The rules took effect in March 2023, making 2024 the first full year of compliance. Some of the changes include requiring device makers to provide plans to monitor and address cybersecurity threats and include a list of components that make up a device as part of product submissions, called a Software Bill of Materials (SBOM).

Nastassia Tamari, director of the Center for Devices and Radiological Health’s Division of Medical Device Cybersecurity, said in an interview with MedTech Dive that device manufacturers have responded well and are prioritizing cybersecurity throughout a product’s entire lifecycle — from design to market launch and, eventually, obsolescence.

Tamari also discussed challenges that have come up since the new requirements took effect, addressing legacy devices and the ongoing cyberattacks on the healthcare sector.

This interview has been edited for length and clarity.

MEDTECH DIVE: This was the first full year with the new cyber requirements for medical devices. How has the year gone?

A headshot of someone wearing a floral dress with a blurred background.

Nastassia Tamari, director of the Center for Devices and Radiological Health’s Division of Medical Device Cybersecurity

Permission granted by Food and Drug Administration

NASTASSIA TAMARI: We appreciate the authority that Congress granted for explicit cybersecurity regulatory authority. It continues to reinforce that cybersecurity is part of the safety and effectiveness of medical devices. Medical device cybersecurity is a patient issue. You can’t have a safe and effective device if it’s not cybersecure. The new requirements have provided an opportunity for the manufacturers to show how they implement cybersecurity so that it’s not done as an add-on, at the end of a planning cycle, but really spans across the total product life cycle of a device.

The standards have allowed manufacturers to show their work, so to speak, to provide documentation on how they’re incorporating cybersecurity into devices. We’ve seen greater cyber risk management, more comprehensive and effective testing, and robust risk management — all of these inputs that go into the safety and effectiveness of a device that benefits patients at the end of the day.

Manufacturers are now required to include an SBOM in product submissions. How have companies responded to that specific requirement?

A lot of the challenges and issues we’ve seen — when it comes to SBOMs — are inconsistent data. For example, you have case sensitivity or abbreviation or punctuation. A good example is Windows. How each organization cites the Windows 2000 software can be a little bit different. You might have Win 2K; you might have Windows 2K; you might have Windows 2000; or some people might do MS.

There are so many multiple sources of truth, and that has really been the challenge in data normalization.

Have there been any challenges with SBOM compliance or the FDA’s review, like applications taking longer to authorize?

The FDA has been working internally and maturing our capabilities, just to help support reviewers. We do understand that manufacturers are sometimes being asked for a human-readable SBOM. As we mature our process, that will no longer be the case. We will eventually accept a machine-readable SBOM from manufacturers. That can be a pain point for manufacturers, and it is something that we have talked about, specifically, with manufacturers and industry. We are working through that. Some of our priorities for the fiscal year 2025 are to continue to mature our ability to have some automated SBOM tools.

Does the FDA have the authority to penalize device companies if there are issues in a product submission? For example, if a device is exploited and you discover that the emergency plan was not accurate.

SBOMs are required during the submission process. The FDA doesn’t necessarily validate that an SBOM is “accurate,” but not providing the appropriate information to the FDA could potentially result in enforcement action. We do recognize that SBOMs are a snapshot. What may be submitted today, in a year from now, depending on patches and updates, will be expected to change.

On what to do around exploitability, we have this strategic cybersecurity policy review — more of a proactive risk management. But we also support reactive risk management. We do respond to medical device cybersecurity vulnerabilities and incidents. If there’s a vulnerability within a device, we do want to know about it. We want to know what the manufacturer’s plan is to provide a fix or an update. We want to know how they’re communicating to customers. We want to know what the assessment of the vulnerability has been. We will step in when we are aware of a cybersecurity vulnerability because we want to make sure that manufacturers are doing their due diligence and providing all the information upfront.