Segment: Strategic Consulting

Top Cybersecurity Risks Facing Connected Medical Devices

Posted on by Brandon Miller

As the healthcare industry continues to embrace digital transformation, connected medical devices are becoming more common—and more vulnerable. From insulin pumps and pacemakers to remote monitoring systems and diagnostic tools, these devices are increasingly exposed to cyber threats that can compromise patient safety, data integrity, and regulatory compliance.

 

In this blog, we explore the top cybersecurity risks facing connected medical devices and share expert insights on how manufacturers can stay ahead of evolving threats and meet global regulatory expectations.

Listen to this podcast where we take a deeper dive into the Cybersecurity risks associated with Connected Medical Devices

Late Integration of Cybersecurity in Product Development

One of the most frequent mistakes medical device manufacturers make is waiting too long to address cybersecurity. Cybersecurity should be embedded early in the medical device development lifecycle, not added as an afterthought. Delayed integration can lead to vulnerabilities that are costly to fix and may result in regulatory delays or denials.

 

Tip: Begin threat modeling immediately after defining device features to ensure secure design specifications and reduce remediation costs.

 

Incomplete Software Bill of Materials (SBOM)

A comprehensive Software Bill of Materials (SBOM) is now a regulatory requirement in both the U.S. and EU. Many companies still submit SBOMs that lack depth, omitting nested components or failing to meet machine-readable format standards. This can lead to compliance issues and increased risk exposure.

 

Tip: Include all software layers—components of components—and ensure your SBOM is both human- and machine-readable.

 

Legacy Devices with Outdated Security

Legacy medical devices often lack modern cybersecurity features such as patching capabilities, logging, and threat detection. These devices pose a significant risk, especially when integrated into hospital networks.

 

Tip: Conduct a full cybersecurity assessment of legacy devices and plan for updates or redesigns that meet current FDA cybersecurity guidance and EU MDR requirements.

 

Lack of Threat Modeling and Vulnerability Management

Without proper threat modeling, manufacturers may overlook critical vulnerabilities. Additionally, failing to maintain a coordinated vulnerability disclosure program can result in non-compliance and reputational damage.

 

Tip: Implement a secure product development framework that includes threat modeling, penetration testing, and vulnerability traceability.

 

Overexposed Physical and Network Interfaces

Ports like USB, Bluetooth, and Wi-Fi can be exploited if not properly secured. Devices with exposed service ports or debug features are particularly vulnerable to unauthorized access.

 

Tip: Use physical controls (e.g., security screws, access doors) to limit exposure. Disable unnecessary ports and implement strong authentication protocols.

 

Misalignment with Global Regulatory Requirements

With evolving guidance from the FDA, EU MDR, UK MHRA, and the Cyber Resilience Act, companies must ensure their cybersecurity practices align across markets. Misalignment can lead to costly redesigns and delayed market access.

 

Tip: Stay informed on global cybersecurity regulations and work with experts who understand regional differences and harmonization efforts.

 

Final Thoughts

Cybersecurity in connected medical devices is no longer optional—it’s a regulatory and ethical imperative. By addressing these risks early and thoroughly, manufacturers can protect patients, ensure compliance, and maintain trust in their products.

 

Ready to Strengthen Your Cybersecurity Strategy?

Regulatory Compliance Associates® (RCA) specializes in helping medical device companies navigate the complex world of cybersecurity compliance, from SBOM development and threat modeling to FDA submissions and global market access. Contact RCA today to schedule a consultation with our cybersecurity experts and ensure your device is secure, compliant, and ready for market.

FDA Expands Unannounced Inspections for Foreign Manufacturing Facilities

Posted on by Brandon Miller

Regulatory Compliance Associates® (RCA) Executive Pharma Compliance Expert & Principal Consultant, Anita Michael, recently shared important FDA updates impacting pharmaceutical manufacturers. With over 25 years of global regulatory and quality experience—including 16 years as the FDA’s Global Pharmaceutical Expert—Anita emphasizes the need for heightened inspection readiness.

 

Key FDA Updates

  • Unannounced Inspections Abroad: The FDA will now conduct unannounced inspections at foreign manufacturing facilities, similar to those already performed in the U.S. This expansion ensures drug substances, finished products, and critical excipients entering the U.S. meet safety and quality standards.
  • Rigorous Reviews: Expect science-based audits across manufacturing operations and quality systems. Companies should ensure their
  • six quality systems (Quality, Production, Laboratory, Facilities & Equipment, Materials, and Packaging/Labeling) are fully inspection-ready.
  • Pre-Approval Program Updates: The FDA has refined its pre-approval inspection focus to include:
    • Readiness for commercial manufacturing (QMS and six systems)
    • Conformance to application and data integrity requirements
    • Commitment to quality and pharmaceutical development
    • Audit preparedness and documentation management

Preparing for Compliance

  • To stay ahead, companies should:Conduct robust internal and external audits
  • Maintain a centralized FDA document repository
  • Ensure subject matter experts are prepared to address complex regulatory questions

 

Why It Matters

These changes highlight the FDA’s commitment to protecting U.S. patients by ensuring consistent global manufacturing standards. Proactive preparation will be critical for pharmaceutical companies with international facilities or partnerships.

 

Need support preparing for FDA inspections or audits? Contact RCA today to speak with our compliance experts and ensure your organization is inspection-ready.

Integrating Device Design into a Biosimilar Program

Background

An established pharmaceutical company with a strong background in biologics and biosimilars was preparing to enter Phase 3 clinical trials with a biosimilar product. While their drug development and manufacturing teams were experienced and well-resourced, the organization had no prior experience with medical devices.

With the introduction of FDA’s combination product regulations and 21 CFR Part 4, the company realized they needed to house their drug product in a drug delivery system—triggering a set of new design and regulatory requirements. Despite their mature quality system aligned to 21 CFR Parts 210/211, they lacked the internal expertise and infrastructure to integrate device development, design controls, and risk management into their QMS.

RCA Approach

Regulatory Compliance Associates® (RCA). was brought in to establish a compliant and sustainable combination product development framework. The engagement began with a comprehensive gap assessment to evaluate the client’s current quality system against the regulatory requirements in 21 CFR Part 820 and Part 4.

While foundational systems like CAPA were already robust, gaps were identified in design controls, risk management, and supplier controls. RCA worked closely with the client to integrate these new requirements into the organization’s operations.

Key activities included:

  • Developing and revising SOPs: 
    • Multiple SOPs were created covering design controls, risk management, and management responsibilities. 
    • Existing SOPs (such as Purchasing Controls) were updated to reflect device-specific needs. 
  • Training cross-functional teams: 
    • RCA conducted training sessions for QA, regulatory affairs, manufacturing operations, and marketing on combination product regulations and new procedures. 
  • Establishing design documentation: 
    • Created complete design history files (DHFs) using new SOPs. 
    • Developed design and development plans, design input requirements, and detailed design specifications for all components, packaging, and labeling. 
    • Facilitated risk assessments through cross-functional collaboration. 
  • Technical and manufacturing support: 
    • Integrated device tests into ongoing stability studies. 
    • Worked with external vendors on component specifications. 
    • Helped develop and qualify an in-house final assembly process and supported manufacturing process qualifications for new equipment. 
    • Conducted and documented a design transfer to manufacturing. 
  • Verification & validation (V&V): 
    • Executed comprehensive testing, including: 
      • Container Closure Integrity 
      • Delivered Volume 
      • Break Loose and Glide Force 
      • Human Factors (Formative and Summative) per IEC 62366 
  • Regulatory support: 
    • Assisted in authoring the Device Section of the BLA, ensuring alignment with FDA expectations. 

Result

Thanks to RCA’s support, the company was able to initiate its Phase 3 clinical trials on schedule, with a fully compliant combination product. 

Over the next two years, the organization successfully launched three commercial combination products—two prefilled syringes and one vial kit—all of which passed FDA audits. The quality system enhancements and DHFs stood up to regulatory scrutiny, and the trained internal teams were able to carry the work forward independently. 

RCA also temporarily stood up a Device Development Department, mentoring internal staff and ensuring a seamless handoff post-acquisition. The company has since maintained compliance and continues to expand its biosimilar product portfolio with confidence.