Major Areas of Cybersecurity Focus for Medical Device Makers
Nastassia Tamari of the FDA on Top Challenges During Premarket Device SubmissionsMedical device makers submitting products for premarket approval by the Food and Drug Administration often struggle the most with cybersecurity in three major areas - design controls, providing a software bill of materials and testing, according to Nastassia Tamari of the FDA.
"We're working closely with manufacturers during that review process to address some of those concerns that are raised during the submission process," she said in an interview with Information Security Media Group. Those concerns often involve the need to provide the FDA with more thorough information or clearer documentation involving design issues and SBOMs, as well as addressing potential issues with cybersecurity testing.
"Those really all continue to be challenges during the submission process," said Tamari, who joined the FDA late last year and is the agency's first division director for medical device cybersecurity. That new FDA division is dedicated to medical device cybersecurity issues, including response and coordination for cyber incidents involving devices.
The new medical device division was launched as part of a January reorganization of the FDA's Office of Strategic Partnerships and Technology Innovation, also known as OST, within the agency's Center for Devices and Radiological Health. OST was elevated to a "super office" following the passage of an omnibus funding bill signed into law in December 2022 that expanded the FDA's regulatory authority over medical device cybersecurity (see: FDA Ramps Up Resources for Medical Device Cybersecurity).
The increased authority includes enabling the FDA to immediately reject premarket submissions for new medical devices due to a lack of cybersecurity details, such as a software bill of materials or penetration testing and vulnerability mitigation information (see: Inside Look: FDA's Cyber Review Process for Medical Devices
But for some device manufacturers, penetration testing has become a bottleneck in submitting their products for FDA's premarket review, Tamari said.
"We have had conversations and are hearing that manufacturers are facing three- to six-month wait times for third-party penetration organizations to be able to fit them in," she said.
The FDA strongly urges manufacturers to plan ahead for those critically important pen tests to ensure testing is thoroughly performed and that any findings are addressed prior to making a submission to the agency, Tamari said.
"We want to see those testing plans completed, but also knowing that whatever the findings are within those test documents, there are also controls that are implemented."
In this audio interview with Information Security Media Group (audio link below photo), Tamari also discussed:
- Potential reasons for the long delays device makers are facing in obtaining third-party pen testing;
- Considerations involving artificial intelligence- and machine learning-enabled medical devices;
- How Tamari's previous decade-long cybersecurity work at medical device maker Becton, Dickinson and Co. prepared her for the new role at FDA.
Tamari leads medical device cybersecurity within the FDA for a new division that provides leadership and strategic direction for medical device cybersecurity policy. Her team develops policy related to medical device cybersecurity to advance national preparedness and response to cybersecurity incidents involving medical devices. Prior to joining the FDA, Tamari spent more than a decade at medical device manufacturer BD supporting the creation a product security program; leading the security operations team for enterprise, product and manufacturing; and leading a global team in strategic regulatory alignment.