Health Connective

Episode 20

What the FDA’s Latest Cybersecurity Guidance Means for Medical Devices with Bold Type

Aired On: July 9, 2024

Hosted By

Michael Roberts

Michael Roberts

Justin Bantuelle

Justin Banutelle

Jose Bohorquez and Mohamad Foustok of Bold Type join our hosts Michael Roberts and Justin Bantuelle to discuss recent updates to FDA guidance for cybersecurity requirements. You may be surprised to learn how many medical devices are affected and what changes are coming.

Resources

More Episodes

Increasing Speed to Market for MedTech Startups with Bold Type
November 7, 2023

Learn More About the Show

Download Transcript

In this Episode

  • 00:02:05 – Defining Cyber Devices and Their Implications
  • 00:05:36 – Challenges of Remotely Updating Software
  • 00:08:50 – Importance of Secure Software Development and Cybersecurity Consulting
  • 00:20:25 – The Importance of Architecture in Medical Device Development
  • 00:26:31 – Segregating Medical Device Functions for Enhanced Security
  • 00:30:56 – The FDA’s Role in Ensuring Patchability and Updatability
  • 00:36:42 – Taking a Proactive Approach to Cybersecurity in Medical Devices

Quotes From This Episode

The headline or the bottom line there is just that the bar was raised substantially…So they pretty much, they boil it down to if a device has any means of connecting to the internet, then it’s a cyber device. So it’s not just if it does connect intentionally to the internet, maybe it’s got wifi or cellular, you would think that’s a cyber device, but you might consider a medical device that just has a USB port and is not intended to connect to the internet to not be a cyber device. What FDA said is no, if there is any foreseeable means by which the internet can connect to this device, then it is a cyber device.

Jose Bohorquez

Frankly, the best time to start thinking about cybersecurity for medical device is early, because if you make certain architectural decisions early, that then bring on vulnerabilities, it’s going to be very difficult to meet those needs down the line. Right? So, you don’t want to be in a position where you’re trying to do remediation on the cybersecurity front, because it’s not just a question of documentation. It may be a question of architecture.

Jose Bohorquez

You do need to have that discipline up front to think this through and understand the consequences. And in fact, it’s desirable also from another perspective, from a pure security perspective. I’ve always believed that one of the essences of good security is reducing the footprints of what you’re securing…If you have a large monolithic system, trying to secure it becomes very challenging, but if you can break it down and secure parts of it, or parts that are important of it, at the end of the day, ultimately you’re trying to secure your medical device functions.

Mohamad Foustok
HIPAA Seal of Compliance