In this episode, host Etienne Nichols sits down with Jose Bohorquez and Mohamad Foustok from CyberMed to dissect the complex world of Software as a Medical Device (SaMD) and cybersecurity. They emphasize that SaMD is first and foremost a medical device and should be treated as such from the very beginning of the development process. The conversation highlights the most common mistakes companies make, like treating security as an afterthought and jumping straight into coding without a solid architectural plan.

Mohamad Foustok introduces the concept of "zero trust" and the critical importance of designing for security across the entire product lifecycle, from initial concept to post-market surveillance. The discussion clarifies that cybersecurity is not limited to network-connected devices but applies to any medical device with a software function, regardless of its connectivity. They also touch on the historical context of FDA guidance, noting a significant shift in recent years that has raised the regulatory bar and put a greater emphasis on robust cybersecurity documentation.

The guests provide actionable advice for MedTech professionals, stressing the value of a balanced approach that integrates security and functionality from day one. They explain that a well-thought-out process, though seemingly slower at the outset, ultimately saves time and resources by preventing costly and time-consuming redesigns later on. This episode serves as a vital guide for anyone looking to build a secure and compliant medical device in today's evolving regulatory landscape.

Key Timestamps

• [01:50] Common pitfalls in developing SaMD, including overlooking regulatory guidance like IEC 62304.
• [03:20] The critical mistake of treating cybersecurity as an afterthought in product development.
• [05:00] Who cybersecurity applies to beyond software, including patients, manufacturers, and supply chains.
• [06:30] The FDA's stance on cybersecurity for any device with a software function, even if not network-connected.
• [08:00] A discussion on "reasonable assurance of cybersecurity" and what it means for manufacturers.
• [10:00] The "zero trust" principle and why you should never assume a network is secure.
• [14:00] How hospitals and other stakeholders are demanding more rigorous cybersecurity standards.
• [15:40] The ideal process for a "security-first" development lifecycle.
• [21:00] Why rushing development without a proper architecture can lead to significant delays and cost overruns.
• [23:00] A brief history of FDA's cybersecurity guidance and the major shift in 2023.

Quotes

"Software as a medical device ultimately is a medical device, and so you want to be developing it from the get-go with that mindset." — Jose Bohorquez

"Security can't be an afterthought. You have to consider security at the inception of your approach to a product." — Mohamed Fustok

Takeaways

• A "Security-First" Mindset is Essential: Integrate cybersecurity from the initial architectural phase of your project. This proactive approach saves significant time and money by avoiding costly redesigns and delays later in the development process or after an FDA submission.
• Cybersecurity is for All Software-Driven Devices: Don't assume that only cloud-connected devices need cybersecurity documentation. The FDA requires documentation for any device with a software function, including embedded systems and programmable logic, even if it's not connected to a network.
• Regulatory Compliance is a Process, Not a...