It used to be that product security experts needed to convince product developers that security was important to invest in, and that it wouldn't get through the FDA without it. But, the guidance was high-level. Now that regulators require comprehensive security and have finalized the premarket guidance, we can change the drumbeat. Instead of arguing that security needs to be designed from the start, product security professionals should change the drumbeat to "let's make this better."
Right now in most R&D teams, securing devices costs too much, the requirements are unclear to engineers teams, and postmarket management needs a total overhaul. There's a lot of confusion about legacy devices, and how much patching is "enough." Medical device security designs have to consider not just the product but the system in which it operates. At AdvaMed's Cyber Summit this week, I heard a lot of questions that belie a basic fact: there's a lot of work to do to make product security routine and predictable.
My prediction for the next year is that product security training - across R&D, regulatory, and quality - will be the most important investment for large and medium manufacturers. It's also time for the second phase of organizational redesign. In the last five years, large manufacturers have gone through the initial implementation of product security organizations. They created VPs of Product Security, revised SOPs, and made security testing mandatory via auditable quality systems. They've been through the wringer of stock deficiencies and delays to market for retrofitting and encryption redesign. Routine special 510(k)s have been held up for lack of authentication. It has been a scramble to create organizational structures that align well with the needs of the business.
Now, requirements are predictable. Teams need to be trained, roles need to be aligned well to manageable responsibilities and authority. The Wild West has been tamed and there is a sheriff in town. Now it's time to put down roots, bring the family, and make life more pleasant for everyone as the next phase of the medtech product security adventure begins.
~Shannon, the Optimistic Optimizer