FDA Cybersecurity Gets Real with Monica Montañez of NAMSA | Ep. 30 - Full Transcript | The Med Device Cyber Podcast

Hi, welcome back to the Med Device Cyber Podcast. Today we're going to be talking with NAMSA about medical device cybersecurity, specifically SAMD, AI, ML, and some of the challenges with cybersecurity that a lot of manufacturers are facing since the changes in September of 2023. Today we have with us Monica Montinez from NAMSA, and we also have our co-host, Trevor. Not too bad. Great. Alright, we've got Trevor's in Sedona, Arizona, and Monica is in Colorado. So, you want to start us off a little bit, Monica, with a quick overview of NAMSA and how you feel cybersecurity evolved since your time in the industry? NAMSA represents North American Scientific Associates, and we are a CRO company that also offers consulting services for regulatory and quality, including preclinical animal studies, for example, any kind of process sterilization, biocompatibility testing. We offer a whole array of different opportunities to support your product development process. Okay. And are most of your clients like startups or larger or midsize manufacturers, would you say? I'd say most of our clients are midsize. We do have several large companies that we work with, multinational companies that we offer our services to. And then when it relates to Software as a Medical Device, for example, SAMD devices, there's a lot of startups in those in that area. Yeah, we've noticed a big trend with AI-enabled softwares in medical devices, or a lot of people say it's AI-enabled. I think to get funding from investors when there's really no AI in it, but they kind of make it look like there's AI to get funding because today if AI is a topic or stamped on something, everybody seems interested from my experience. True. True. Yeah. Reimbursement is also a challenge for Software as a Medical Device, so we offer reimbursement services as well. One of the things that they really should consider and we talk a lot about. So that's kind of helping them with the overall product commercialization and roadmap as well as commercialization of the product itself. You want to make sure you can sell it, for sure. I think a lot of people kind of skip that part, just assuming that's going to work out. But there are challenges, like you said, if you can't get a reimbursement, you may not be able to sell it because nobody will want to bring that device into their HDO. Cool. And you've got a background in regulatory affairs and quite a few other areas specific to MedTech. From your experience in the industry, how has cybersecurity evolved or has it devolved? No, it's certainly evolved. Prior to 2023, cybersecurity was basically governed by FDA guidance documents that FDA could recommend certain areas related to cybersecurity. Sponsors, manufacturers were not required to design cybersecurity requirements within their product development process. So a lot of the cybersecurity requirements were mostly if driven, you know, instructions for use, what you can and can't do, password protection, authentication. The basic kind of cybersecurity requirements were just offered at that time. And then when there were so many issues with cybersecurity taking place with devices over a period of time in the early 2000s, it became an issue with Congress. Congress finally passed a bill, legislation, which is called the Fedora, and it made a change to the Food and Drug and Cosmetic Act, and actually made cybersecurity a part of the legislation. It's now where FDA can carry the big stick. FDA can basically say you have to comply with cybersecurity. Yeah. Trevor, what is your interpretation of that? Because I know you're super familiar with the guidance. And from my experiences, the FDA, they make a lot of recommendations, but they don't sound mandatory, but then the recommendations are actually mandates. It seems like it's very vague and frustrating for manufacturers. What's your take on this, Trevor? And I'm not super familiar with Fedora, actually, so that might be something. I don't know how familiar you are as well, Trevor, but we can dig into that a little bit. It's something I hear all the time from manufacturers is, oh, well, it's recommended that we do our threat modeling, but is it required? And reading the FDA guidance everywhere, it says, we recommend you do threat modeling. We recommend you do penetration testing. We recommend you do requirements testing. And if you submit your 510k or your PMA or whatever submission without it, the FDA is going to come back and say, you know, this is insufficient. You did not cover cybersecurity. You did not do threat modeling. You did not do your penetration testing. You did not meet the requirements. So it's one of the many, many areas where it's worded in a little bit of a vague way that I feel like manufacturers who are new to the space are going to get a little bit caught up on. So a lot of startups will have issues with that. Once a company's been putting out several devices, they're used to the guidance, they're going to know what to expect.