For nearly two years, medical device companies have adhered to stricter cybersecurity requirements after Congress established new rules for manufacturers and granted the Food and Drug Administration increased authority to enforce them.
The rules took effect in March 2023, making 2024 the first full year of compliance. Some of the changes include requiring device makers to provide plans to monitor and address cybersecurity threats and include a list of components that make up a device as part of product submissions, called a Software Bill of Materials (SBOM).
Nastassia Tamari, director of the Center for Devices and Radiological Health’s Division of Medical Device Cybersecurity, said in an interview with MedTech Dive that device manufacturers have responded well and are prioritizing cybersecurity throughout a product’s entire lifecycle — from design to market launch and, eventually, obsolescence.
Tamari also discussed challenges that have come up since the new requirements took effect, addressing legacy devices and the ongoing cyberattacks on the healthcare sector.
This interview has been edited for length and clarity.
MEDTECH DIVE: This was the first full year with the new cyber requirements for medical devices. How has the year gone?
Nastassia Tamari, director of the Center for Devices and Radiological Health’s Division of Medical Device Cybersecurity
Permission granted by Food and Drug Administration
NASTASSIA TAMARI: We appreciate the authority that Congress granted for explicit cybersecurity regulatory authority. It continues to reinforce that cybersecurity is part of the safety and effectiveness of medical devices. Medical device cybersecurity is a patient issue. You can’t have a safe and effective device if it’s not cybersecure. The new requirements have provided an opportunity for the manufacturers to show how they implement cybersecurity so that it’s not done as an add-on, at the end of a planning cycle, but really spans across the total product life cycle of a device.
The standards have allowed manufacturers to show their work, so to speak, to provide documentation on how they’re incorporating cybersecurity into devices. We’ve seen greater cyber risk management, more comprehensive and effective testing, and robust risk management — all of these inputs that go into the safety and effectiveness of a device that benefits patients at the end of the day.
Manufacturers are now required to include an SBOM in product submissions. How have companies responded to that specific requirement?
A lot of the challenges and issues we’ve seen — when it comes to SBOMs — are inconsistent data. For example, you have case sensitivity or abbreviation or punctuation. A good example is Windows. How each organization cites the Windows 2000 software can be a little bit different. You might have Win 2K; you might have Windows 2K; you might have Windows 2000; or some people might do MS.
There are so many multiple sources of truth, and that has really been the challenge in data normalization.
Have there been any challenges with SBOM compliance or the FDA’s review, like applications taking longer to authorize?
The FDA has been working internally and maturing our capabilities, just to help support reviewers. We do understand that manufacturers are sometimes being asked for a human-readable SBOM. As we mature our process, that will no longer be the case. We will eventually accept a machine-readable SBOM from manufacturers. That can be a pain point for manufacturers, and it is something that we have talked about, specifically, with manufacturers and industry. We are working through that. Some of our priorities for the fiscal year 2025 are to continue to mature our ability to have some automated SBOM tools.
Does the FDA have the authority to penalize device companies if there are issues in a product submission? For example, if a device is exploited and you discover that the emergency plan was not accurate.
SBOMs are required during the submission process. The FDA doesn’t necessarily validate that an SBOM is “accurate,” but not providing the appropriate information to the FDA could potentially result in enforcement action. We do recognize that SBOMs are a snapshot. What may be submitted today, in a year from now, depending on patches and updates, will be expected to change.
On what to do around exploitability, we have this strategic cybersecurity policy review — more of a proactive risk management. But we also support reactive risk management. We do respond to medical device cybersecurity vulnerabilities and incidents. If there’s a vulnerability within a device, we do want to know about it. We want to know what the manufacturer’s plan is to provide a fix or an update. We want to know how they’re communicating to customers. We want to know what the assessment of the vulnerability has been. We will step in when we are aware of a cybersecurity vulnerability because we want to make sure that manufacturers are doing their due diligence and providing all the information upfront.
The last time we spoke, we talked a lot about legacy devices. This is a challenge the industry is constantly dealing with and struggling to find solutions for. What is CDRH doing to help address the legacy device problem?
Older, unsupported devices are still going to be a pain point. For older devices that have been around for 20-plus years, they’re still in use and the clinical benefit remains, so there is this unsolved challenge.
With the new authorities and the pre-market guidance, we really can make sure that devices will be more cybersecure in the future. For example, making sure devices are patchable, and making sure devices can be patched ad hoc if needed. Those specific requirements for cyber devices are in 524B [a section of the Federal Food, Drug, and Cosmetic Act added by Congress in 2022], and we do recommend in our pre-market guidance that manufacturers make sure devices are patchable.
Eventually, the devices that we approve today will become legacy. But because of the regulations that are being put in place now, we are ensuring that manufacturers have this more robust risk management program and that they are taking into account some of the challenges with legacy technology we’ve seen previously, like not being patchable, once they’re on the market.
Cyberattacks are happening frequently in healthcare. As a regulator, how is it operating in this environment?
We see these constantly, to your point, especially in healthcare. That’s not going to stop at all. We can’t eat the elephant in one bite. We break it down into bite-sized pieces.
If you prepare for vulnerabilities and incidents, then you are more likely and better able to respond once they happen. For an SBOM, we’re not expecting zero vulnerabilities. And frankly, if you have zero vulnerabilities today, you’re not going to have zero vulnerabilities tomorrow. It really is, what is your plan? Show us your plans. Paint us that picture.