FDA’s first medical device cyber chief Kevin Fu shares with MedTech Dive his take on medical device cybersecurity and how the agency’s regulatory policy, including required updates and patches, can help improve it.
Specifically, FDA seeks to require that devices have the capability to be updated and patched in a timely manner; that premarket submissions to FDA include evidence demonstrating the capability from a design and architecture perspective for device updating and patching; a phased-in approach to a Cybersecurity Bill of Materials (CBOM), a list that includes but is not limited to commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities; and that device firms publicly disclose when they learn of a cybersecurity vulnerability so users know when a device they use may be vulnerable and to provide direction to customers to reduce their risk.
Read more at MedTech Dive.