By Deb Radcliff, DevSecOps analyst and editor of CodeSecure’s TalkSecure educational content (syndicated at Security Boulevard & YouTube)
The U.S. Food and Drug Administration recently updated its requirements to certify the cyber-safety of connected medical devices. Product companies in this space must meet pre-market approval under the FDA regulatory framework for medical device oversight. This includes producing standards-based Software Bills of Materials (SBOMs) to attest to the cyber safety of their code, third-party components, and all interdependencies including the operating systems such as Windows that they’re to run on.
In this interview, we talk with Joe Silvia, who has a long history in medical device safety, security, and compliance from the product development and the buyer sides. Under his company, Medware Cyber, he’s consulted with well-known large manufacturers (in fact with manufacturers of all sizes) on their FDA readiness.
“This pre-market cyber security guidance from the FDA is major lift for a lot of medical device manufacturers trying to get in line with the new rules. And it’s not just SBOMs for the software components you’re adding to your code, it’s the operating systems too,” he explained.
Based on his experiences, most manufacturers aren’t ready to meet these requirements. As he said, “they barely understand what an SBOM is.” For example, he shared about an unnamed client that he produced an SBOM for: In the 440 pieces of software the product included, 108 didn’t have a version number, a most basic element of any SBOM.
When it comes to operating system dependencies, most O/S vendors do a good job of providing transparency to third-party developers, he said. But medical device makers can’t just rely on the O/S vendor’s word for it, especially around these transitive dependencies. And that’s where workflow-friendly testing tools come in.
“It’s a shared responsibility. Do software composition analysis and scanning of your software and operating systems, and continue to make sure that they’re up to date,” he added. “More than just generating an SBOM, you need to pick a tool vendor that understands the regulations. Be careful and do your due diligence as you select those vendors.”
Tune into this 25-minute show and learn more!
Resources:
- CodeSentry Binary Composition Analysis
- FDA 510K pre-market submission guidance
- SBOM-a-Rama and info on working groups
