Episode 66 · July 29, 2025 · 31m listen · 4,809 words · ~24 min read

FDA Cybersecurity Gets Real with Monica Montañez of NAMSA | Ep. 30 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 66 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of the Med Device Cyber Podcast, host Christian Espinosa and co-host Trevor Slattery are joined by Monica Montanez from NAMSA (North American Scientific Associates) to discuss the evolving landscape of medical device cybersecurity. The conversation centers on the significant changes manufacturers face following the updated FDA regulations effective September 2023. Monica introduces NAMSA as a Contract Research Organization (CRO) that provides comprehensive consulting services for medical device manufacturers, covering everything from regulatory and quality assurance to pre-clinical studies, biocompatibility testing, and product commercialization strategies. She notes that while NAMSA serves a range of clients from startups to large multinational corporations, many startups in the Software as a Medical Device (SaMD) and AI/ML space are particularly impacted by the new cybersecurity mandates. The core of the discussion revolves around the transition of FDA cybersecurity guidelines from recommendations to enforceable laws. Monica explains that prior to the Food and Drug Omnibus Reform Act of 2022 (FDORA), the FDA could only suggest cybersecurity measures. Now, the agency has the legal authority to reject submissions—a "Refuse to Accept" (RTA) action—if cybersecurity is not adequately addressed. This shift has caught many manufacturers off-guard, as they are now required to provide extensive documentation, including security risk management reports, threat models, and vulnerability assessments, which were not strictly enforced before. The hosts and guest explore the ambiguity in FDA guidance, which often uses the term "recommend" for what are now de facto requirements. This vague language has created confusion, especially for new and small-scale manufacturers who may not have dedicated cybersecurity expertise. A key point of contention is the broad definition of a "cyber device." The panel clarifies that this term applies not just to devices with direct internet connectivity like Wi-Fi or Ethernet, but to any device that has the *ability* to connect to a network. This includes devices with USB ports, Bluetooth (even Bluetooth Low Energy), and RFID capabilities. Trevor Slattery highlights a common pitfall where manufacturers disable a feature like Bluetooth but fail to prove it is securely disabled, leaving the hardware present and vulnerable. Such oversights, often discovered during testing, are a frequent cause of submission delays. The podcast emphasizes that cybersecurity must be integrated into the entire product development lifecycle, similar to sterility and biocompatibility, rather than being treated as a final checklist item before submission. The discussion concludes that manufacturers must proactively adopt a secure software development framework to meet these stringent new standards and avoid costly regulatory setbacks.

Key takeaways from this episode

Since September 2023, FDA cybersecurity guidelines for medical devices are no longer just recommendations but are legally enforceable under the FDORA legislation, giving the FDA the authority to reject submissions.
A "cyber device" is broadly defined as any medical device with software and the ability to connect to a network, including via interfaces like USB, Bluetooth, or RFID, not just Wi-Fi or Ethernet.
Many manufacturers, particularly startups and those new to the field, are unprepared for the increased cybersecurity documentation required, leading to submission rejections and delays.
Simply disabling a hardware feature, such as Bluetooth, is insufficient. Manufacturers must validate and prove that it is securely disabled and cannot be re-enabled, as the physical presence of the hardware still constitutes a potential vulnerability.
Cybersecurity needs to be a core part of the entire product development lifecycle, treated with the same importance as sterility and biocompatibility, rather than an afterthought.
The FDA now requires extensive documentation for submissions, including a security risk management report, a threat model, and a Software Bill of Materials (SBOM).
Adherence to standards like IEC 62304 for the software development lifecycle is critical, but it must be supplemented with specific cybersecurity guidance from the FDA to ensure compliance.
The FDA's language can be ambiguous, often using "recommend" for what are effectively mandates. Manufacturers should treat these recommendations as requirements to avoid a "Refuse to Accept" (RTA) notice.

Full episode transcript

Host: Hi, welcome back to the Med Device Cyber podcast. Today we're going to talk we're going to be talking with Namsa about medical device cyber security, specifically Sam D, AI ML and some of the challenges with cyber security that a lot of manufacturers are facing since the changes in September of 2023. Host: Today we have with us Monica Montanez from Namsa and we also have our co-host Trevor. Uh how's everyone doing this morning? Trevor: Not too bad. Monica: Great. Host: All right, we've got Trevor's in uh Sedona, Arizona. I'm in Tempe and Monica is in Colorado. Host: See you want to start us off a little bit Monica with a little quick overview of Namsa and kind of what how you feel cyber security's evolved since uh your time in the industry. Monica: Namsa represents North American scientific associates and uh we are a CRO um company that uh also offers consulting services for regulatory and quality including pre clinical animal studies for example, any kind of process, sterlization, uh biocompatibility testing. Uh we we offer a whole ray of different opportunities to support your your product development process. Host: Okay, and are most of your clients um like startups or larger or you know mid-sized manufacturers would you say. Monica: I'd say most of our clients are are mid-sized. We do offer, we do have several large companies that we work with, multinational companies that we offer our services to. And then when it relates to software as a medical device for example, SAMD devices, there's a lot of startups in those in that area. Host: Yeah, we've noticed a big trend with AI enabled software as a medical device or a lot of people say it's AI enabled, I think to get funding from investors when there's really no AI in it, but they kind of make it look like there's AI to get funding because today if if AI is a topic or on stamped on something, everybody seems interested for my experience. Monica: True, true. Yeah, um, you know, reimbursement is also a challenge for for software as a medical device. So we offer reimbursement services too as well. one of the things that they really should consider and we talk a lot about. Host: So that's the uh kind of helping them with the overall product uh commercialization and roadmap as well. Monica: commercialization of the product itself. You want to make sure you can sell it. Host: For sure, I think a lot of people kind of skip that part just assuming that's going to work out, but there's the challenges like you said, if you can't get a reimbursement, you may not be able to sell it because nobody will want to bring that device into their HDO. Host: Cool. And you've you've got a background in regulatory affairs and quite a few other areas specific to MedTech. Uh from your experience, how has in your experience in the industry, how has cyber security evolved? Or has it developed? Monica: No, it's it's certainly evolved. Um, you know, prior to 2023, cyber security was basically governed by uh FDA guidance documents that FDA couldn't basically could uh recommend certain areas related to cyber security. Uh sponsors, manufacturers were not required to design cyber security requirements within their product development process. Monica: So a lot of the cyber security requirements were mostly uh IFU driven, you know, instructions for use, what you can can't do, um, password protection, authentication, the basic um kind of uh cyber security requirements were were just offered at that time and then when there were so many issues with cyber security taking place um with with uh devices over the a period of time in the early 2000s, um it it became an issue with Congress. Congress finally passed a bill legislation which is called the Fedora, which is called Fedora and it made a change to uh the Food and Drug and Cosmetic Act and actually made cyber security a part of the legislation. It's now where FDA can carry the big stick. FDA can basically say you have to comply with cyber security. Host: Yeah, Trevor what is your interpretation of that because I know you're super familiar with the guidance um and the FDA the FDA from my experience is they they make a lot of recommendations but they don't sound mandatory, but then the recommendation is actually mandate, it seems like it's very vague and and frustrating for manufacturers. What do what's your take on this Trevor? Are you and I'm not super familiar with Fedora actually, so that might be something I don't know how familiar you are as well. Trevor, if we can dig in in that a little bit.

1 / 6