FDA Laws and Submission Guidance Catches up with Cyber Risks in Medical Devices
2023-11-8 05:6:30 Author: securityboulevard.com(查看原文) 阅读量:5 收藏

Avatar photo

The forgiveness period for medical device manufacturers not following the PATCH (Protecting and Transforming Cyber Healthcare) Act came to a close in October 2023. The Act, which became a law in late 2022 and went into effect in March 2023, is the first enforceable law focused specifically on cyber safety of medical devices. Joshua Corman likens it to “minimum seatbelt laws for medical devices” by requiring manufacturers to provide demonstrable proof of cybersecurity controls and visibility into their devices during pre-market FDA submission. 

Corman, who teaches secure development lifecycle and product security for Carnegie Mellon University’s grad school, is the founder of Iamthecavalry.org, a collection of thousands of volunteer experts from around the world with a common mission to improve cybersecurity in medical devices, transportation, and infrastructure systems, and the connected home. Josh was active in developing the PATCH Act, as well as the FDA’s latest pre-market cyber security guidance for device manufacturers that was published in September (2023).  

Now backed by law, the FDA’s guidance is no longer elective, and dictates how the agency evaluates medical devices going to market, says Corman, who also co-founded CyberMedSummit.org, where he’s demonstrated dozens of ways medical devices could be hacked to charm patients.

In this show, he talks about the nine-year journey to get medical device manufacturers to follow best practices and shift left in their DevOps practices, starting with secure by design and throughout the product lifecycle. And, since medicface al device software utilizes up to 90 percent open-source components, SBOMs (software bill of materials) play a huge part in managing the risks associated with third-party code. 

While manufacturers initially pushed back on the cyber safety requirements, Corman notes that those who got on board with this guidance immediately began seeing benefits that made them more competitive, faster-to-market, and quicker to repair exploitable vulnerabilities found in their code.  

Resources:

DevOps Unbound Podcast

FDA Recommends Static Analysis for Medical Devices-CodeSecure Case Study

CDRH – FDA’s Center for Device and Radiological Health

CISA’s Known Exploited Vulnerabilities (CEV) Catalog  

Rugged Software Manifesto, co-written by Josh Corman

The post FDA Laws and Submission Guidance Catches up with Cyber Risks in Medical Devices appeared first on CodeSecure.

*** This is a Security Bloggers Network syndicated blog from TalkSecure | CodeSecure authored by Deb Radcliff. Read the original post at: https://codesecure.com/learn/fda-laws-and-submission-guidance-catches-up-with-cyber-risks-in-medical-devices/


文章来源: https://securityboulevard.com/2023/11/fda-laws-and-submission-guidance-catches-up-with-cyber-risks-in-medical-devices/
如有侵权请联系:admin#unsafe.sh