Avoid Engineering Your Product Twice: Get the Latest on FDA’s New Cybersecurity RequirementsAvoid Engineering Your Product Twice: Get the Latest on FDA’s New Cybersecurity Requirements

FDA now expects companies to evaluate and then mitigate the security risks that are identified during medtech product development, shares Mark Omo, director of engineering at Marcus Engineering, who will speak at MD&M West 2025.

Susan Shepard

December 16, 2024

3 Min Read
medical device FDA cybersecurity regulations
PeopleImages/iStock/Getty Images Plus via Getty Images

At a Glance

  • MD&M West 2025 will take place Feb. 4-6 in Anaheim, CA.
  • Check out “How to Avoid Engineering Your Product Twice: Mastering the New Cybersecurity Requirements for 510(k) Submissions.”
  • Session topics include threat modeling, secure product development frameworks, & the role of the Software Bill of Materials.

“Cybersecurity is a really important part of your system, and you need to make sure that it's part of your thought process from day one, when you're designing and architecting your device, all the way through certification,” said Mark Omo, director of engineering at Marcus Engineering, in a recent interview with Design News. “If you wait to do it at the end, you’re going to be very sad because you’re going to have to engineer your product twice,” he said.

Omo will be speaking at the upcoming MD&M West conference in Anaheim, CA, in the session, “How to Avoid Engineering Your Product Twice: Mastering the New Cybersecurity Requirements for 510(k) Submissions,” on Wednesday, February 5, from 11:15 AM to 12:00 PM, in Room 202B.

Omo’s session will focus on FDA’s new cybersecurity requirements for 510(k) medical device submissions. He explained that the agency now expects companies to evaluate and then mitigate the security risks that are identified during the product development phase. “We want to help everybody understand what they need to do when they’re designing products, what processes they need to follow,” he said.

Startups and veteran companies alike are affected by the new regulations, Omo said. Newer companies might be so focused on developing a cool new technology for which they might not prioritize or even consider cybersecurity. “Those are the ones who are not budgeting for it,” he said. “It's a big surprise when they go to certification. They think, ‘we’ve spent years on this. We’ve got all our investors, we spent all our money, and all of a sudden we have this new setback that's going to cost a lot more money and more time to get to market.’” 

But FDA expects that all on-market devices have to comply with the new regulations as well, he said. “And so, if you go to FDA and you have an already on-market device, and you want to change it, which might require a new 510k, FDA is going to ask you for all of this documentation that you never had to have before for your device,” Omo said. “And so there may be substantial rework and redesign required of an on-market device to comply with these regulations.”

Mark_Omo_FDA_medical_device_cybersecurity_PQ-22.jpg

To avoid having to go back to the drawing board and re-engineer their devices, companies need to carefully understand all the requirements and be able to show FDA that they did their due diligence for their product, Omo said. He encouraged companies to think about securing their products similarly to how they might protect their homes. “We would think about it like a thief trying to get in your home,” he said. 

Omo said he hopes to present a good overview of the landscape of all the things that companies can do to comply with the new cybersecurity regulations. Topics include threat modeling, secure product development frameworks, and the essential role of the Software Bill of Materials (SBOM). He said that while he is not planning to go in-depth on the regulations, he hopes to provide a high-level understanding, so his attendees can then later dig into all the details. 

“We think about the safety of the product and now we need to think about the security of the product,” he said. “And the secure development life cycle is the process that teams and companies use to help make sure that that process is integrated throughout their system, throughout their life,” Omo concluded.

Omo will present, “How to Avoid Engineering Your Product Twice: Mastering the New Cybersecurity Requirements for 510(k) Submissions,” on Wednesday, February 5, from 11:15 AM to 12:00 PM, in Room 202B.

About the Author

Susan Shepard

Susan Shepard is a freelance contributor to Design News and MD+DI.

Sign up for Design News newsletters

You May Also Like