<img src="https://ws.zoominfo.com/pixel/OJkQgdjSvoid2NFoB5Qs" width="1" height="1" style="display: none;">

Shifting Sands of SaMD Cybersecurity Regulations

July 5, 2022

270 GMDP-header

FDA has issued new draft guidance on cybersecurity for software as a medical device (SaMD). If the FDA releases that draft guidance ‘as is,’ it will massively and negatively impact the SaMD industry and it’s imperative that manufacturers understand how to prepare. 

In this episode of the Global Medical Device Podcast, Etienne Nichols talks to Chris Gates, director of product security at Velentium, about the shifting sands of medical device cybersecurity regulations for SaMD.

Listen now:

Like this episode? Subscribe today on iTunes or Spotify.

Some highlights of this episode include:

  • Chris views the FDA’s recent activity around cybersecurity requirements, regulations, and laws for SaMD as a necessity because manufacturers cannot seem to self-regulate. 

  • The Protecting and Transforming Cyber Health Care Act (PATCH) will give the FDA a direct mandate to manage the cybersecurity of medical devices.

  • However, a clause in the PATCH Act allows for cybersecurity to extend to all existing legacy medical devices—not just new devices entering the market.

  • As medical device manufacturers (MDMs) become aware of the clause, it’ll have a huge impact. MDMs will likely end support for device lines due to high costs. 

  • The biggest issue with the new guidance consensus vs. regulatory standards is alignment with software bill of materials (SBOM) tools.

  • The most effort-intensive part of the new draft guidance is ongoing testing of anomalies to determine if they can be turned into vulnerabilities. The industry will be unable to keep up with additional testing because of resources and demand.

  • All this added burden will be placed on MDMs at the cost of marginal improvements in cybersecurity. So, there’s no real benefit to the manufacturer.

  • Structure a standard by not creating something brand new that is ill/undefined but align best practices to create secure medical devices.


Medical Device Cybersecurity for Engineers and Manufacturers

Regulations (Submit comments to the FDA)

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions


International Electrotechnical Commission (IEC)

ISO (International Organization for Standardization)

International Medical Device Regulators Forum (IMDRF)

Chris Gates on LinkedIn

Chris Gates Email

Greenlight Guru YouTube Channel

MedTech True Quality Stories Podcast

Greenlight Guru Academy

Greenlight Guru Community

Greenlight Guru

Memorable quotes from Chris Gates:

“Legally-backed cybersecurity requirements by a regulatory agency are necessary to ensure secure devices are entering the marketplace and hopefully replacing the insecure legacy devices.”

“This clause is going to have a huge impact on medical device manufacturers (MDMs) and I find it amazing how many MDMs are completely unaware of this.”

“An SBOM is a software bill of materials. It’s an ingredients list for your application.”

“This isn’t just one-and-done testing in your lifecycle.”

“You’re going to have a lot of extra work coming your way.”

About the Global Medical Device Podcast:


The Global Medical Device Podcast powered by Greenlight Guru is where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.

Like this episode? Subscribe today on iTunes or Spotify.

Nick Tippmann is the Chief Marketing Officer for Greenlight Guru, a MedTech Lifecycle Excellence Platform (MLE) that provides an industry-specific solution to help medical technology innovators around the world use quality as an accelerator to move beyond baseline compliance and achieve True Quality. Tippmann is...