5.15.23 > Scott Singer

The impact of a cybersecurity attack on a medical device can have negative effects on patient safety.  In addition, there are privacy concerns that can arise from the data gathered from such devices.  Whether it is patient safety or patient privacy, the FDA is now putting out specific guidance in a recently released policy.

Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act | FDA

Beginning October 1, 2023, medical devices that are considered cyber devices (defined below) will be required to meet certain cybersecurity requirements.  In anticipation of that rule, FDA recently released guidance on how they will manage premarket submissions related to cyber devices before the Oct 1, deadline.  In essence, they will not immediately reject the submission if it does not contain the required elements of cybersecurity but will work with the submitter on what is required.

FDAs definition of a “cyber device” is:

(1) includes software validated, installed, or authorized by the sponsor as a device or in a device;

(2) has the ability to connect to the internet; and

(3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

So, what will be required of a cyber device?

  1. A plan must be submitted to monitor, identify, and address cybersecurity vulnerabilities after the device is released to the market.  There will need to procedures developed to address vulnerability disclosures and related procedures.
  2. The medical device maker (MDM) must design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address— (A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and (B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
  3. The MDM must have a software bill of materials (SBOM) for the cyber device, including commercial, open-source, and off-the-shelf software components.
  4. And finally, the MDM must comply with such other requirements as the FDA may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

Scott Singer, CAPT USN (retired)

Interim Managing Director, Center for Medical Device Cyber Security, UMN

Chief Executive Officer, CyberNINES

Scott is the Chief Executive Officer of CyberNINES which focuses on providing consulting services to support the DOD (Department of Defense) supply chain in meeting cyber security requirements for protecting CUI (controlled unclassified information). Most recently Scott was at PaR Systems, where he was the VP and Chief Information Officer since 2010. At PaR, Scott had responsibility for information systems, global quality, export control, security, and continuous process improvement. Previously, Scott spent 16 years with Medtronic in various leadership positions including the European Infrastructure Manager, the Vascular division CIO, and the head of global security.

CAPT Singer retired from the Navy Reserves in January of 2018. He most recently was mobilized to active duty to support hurricane relief efforts in Puerto Rico and then FEMA Headquarters in Washington, D.C. as the Department of Defense liaison to FEMA. He has served on active duty for Operations Noble Eagle/Enduring Freedom and in the Gulf War for Desert Shield and Desert Storm. Most recently he was the Navy Emergency Preparedness Liaison Officer (NEPLO) for the state of MN. Prior to that he was the Executive Officer for Commander Pacific Fleet Maritime Operations Center responsible for supporting the communications and cybersecurity needs of the Pacific Fleet. Some of CAPT Singer’s awards and medals include the Legion of Merit, Meritorious Service Medal, Joint Service Commendation Medal, Humanitarian Service Medal and Combat Action Ribbon.

Scott is the past president and currently on the executive leadership board for the Minnesota Technology Association (mntech) formerly MHTA, past President of the UW Madison NROTC Alumni Association and board member of InfraGard. He was appointed by the Secretary of Commerce to the Civil Nuclear Trade Advisory Committee (CINTAC) for his second consecutive term.

Scott has an MBA in Information Systems from the University of MN and BS is Meteorology from the University of Wisconsin at Madison.

You can Connect with Scott at the Cyber Security Summit at https://www.cybersecuritysummit.org/speakers/scott-singer/

And on LinkedIn at https://www.linkedin.com/in/scottfsinger/