In this episode, host Etienne Nichols sits down with Jose Bohorquez and Mohamad Foustok from CyberMed to dissect the complex world of Software as a Medical Device (SaMD) and cybersecurity. They emphasize that SaMD is first and foremost a medical device and should be treated as such from the very beginning of the development process. The conversation highlights the most common mistakes companies make, like treating security as an afterthought and jumping straight into coding without a solid architectural plan.

Mohamad Foustok introduces the concept of "zero trust" and the critical importance of designing for security across the entire product lifecycle, from initial concept to post-market surveillance. The discussion clarifies that cybersecurity is not limited to network-connected devices but applies to any medical device with a software function, regardless of its connectivity. They also touch on the historical context of FDA guidance, noting a significant shift in recent years that has raised the regulatory bar and put a greater emphasis on robust cybersecurity documentation.

The guests provide actionable advice for MedTech professionals, stressing the value of a balanced approach that integrates security and functionality from day one. They explain that a well-thought-out process, though seemingly slower at the outset, ultimately saves time and resources by preventing costly and time-consuming redesigns later on. This episode serves as a vital guide for anyone looking to build a secure and compliant medical device in today's evolving regulatory landscape.

Key Timestamps

• [01:50] Common pitfalls in developing SaMD, including overlooking regulatory guidance like IEC 62304.
• [03:20] The critical mistake of treating cybersecurity as an afterthought in product development.
• [05:00] Who cybersecurity applies to beyond software, including patients, manufacturers, and supply chains.
• [06:30] The FDA's stance on cybersecurity for any device with a software function, even if not network-connected.
• [08:00] A discussion on "reasonable assurance of cybersecurity" and what it means for manufacturers.
• [10:00] The "zero trust" principle and why you should never assume a network is secure.
• [14:00] How hospitals and other stakeholders are demanding more rigorous cybersecurity standards.
• [15:40] The ideal process for a "security-first" development lifecycle.
• [21:00] Why rushing development without a proper architecture can lead to significant delays and cost overruns.
• [23:00] A brief history of FDA's cybersecurity guidance and the major shift in 2023.

Quotes

"Software as a medical device ultimately is a medical device, and so you want to be developing it from the get-go with that mindset." — Jose Bohorquez

"Security can't be an afterthought. You have to consider security at the inception of your approach to a product." — Mohamed Fustok

Takeaways

• A "Security-First" Mindset is Essential: Integrate cybersecurity from the initial architectural phase of your project. This proactive approach saves significant time and money by avoiding costly redesigns and delays later in the development process or after an FDA submission.
• Cybersecurity is for All Software-Driven Devices: Don't assume that only cloud-connected devices need cybersecurity documentation. The FDA requires documentation for any device with a software function, including embedded systems and programmable logic, even if it's not connected to a network.
• Regulatory Compliance is a Process, Not a Document: The FDA is not just looking for a checklist of documents; they want to see a well-defined and consistently followed process for how you build and secure your software. This includes a "reasonable assurance of cybersecurity" that stands up to scrutiny.
• Hospitals are Your New Regulators: Beyond FDA compliance, be prepared for hospitals and other buyers to conduct their own rigorous cybersecurity audits. A strong cybersecurity posture is becoming a key differentiator and a prerequisite for market access.

References

• IEC 62304: The international standard for medical device software life cycle processes. It is a foundational requirement for developing compliant medical software.
• FDA Guidance Documents: Specific documents from the U.S. Food and Drug Administration that provide detailed requirements for software as a medical device (SaMD) and cybersecurity.
• Etienne Nichols' LinkedIn: For more insights and connections in the medical device industry, connect with Etienne Nichols. [https://www.linkedin.com/in/etienne-nichols-105151241/]

MedTech 101

Zero Trust: A cybersecurity principle that means you should never automatically trust anything inside or outside of your network perimeter. Instead, every access request must be verified before granting access. Think of it like a strict security guard who checks everyone's ID, even if they claim to work there. In a hospital setting, this means a medical device should not assume the hospital's Wi-Fi is secure; it should treat every connection as potentially hostile and build in its own protections. This is in contrast to the old model where everything inside the network was trusted by default.

Feedback Call-to-Action

We love to hear from our listeners! Your feedback helps us create content that is most valuable to you. Please send your comments, topic suggestions, and guest recommendations to podcast@greenlight.guru. We read and respond to every email personally.

Sponsors

This episode of the Global Medical Device Podcast is brought to you by Greenlight Guru. In a world where regulatory requirements for software are constantly changing, having a robust and agile Quality Management System is non-negotiable. Greenlight Guru's Medical Device QMS & EDC solutions are purpose-built to help you navigate these complexities, from initial design through post-market surveillance, ensuring your SaMD and other medical devices are secure, compliant, and ready for market. Visit their website to learn how their solutions can streamline your entire development process.