Complying with FDA's medtech cybersecurity requirements means doing the right thing. This will create compliance. You can create more business value (revenue, time), by adding a dose of conviction and publicizing.
Cybersecurity weaknesses in medical devices can harm humans, FDA has implemented new regs, and medtech manufacturers are working to comply. Some will do the bare minimum (i.e., those who do just enough to comply), and some may capitalize on the changes to their strategic advantage. I think the ones who decide to draw a line in the sand, do what we know is right, and then publicize it heavily, will drastically outperform the competitors who do "just enough."
A Story: The founder of Patagonia started his business by making and selling hardware used to create anchors in rocks, which in turn held ropes and allowed climbers to scale sheer walls of rock and cliff. Eventually, they realized that the hardware Patagonia sold chipped the rocks, which would ruin the natural landscape over time. Yvon Chouinard, Patagonia founder and CEO, decided to stop selling his #1 product. Instead, he started selling rock-preserving hardware that someone else had pioneered. In any business book, this would have been a terrible idea. Ending the leading product line kills a business, right? Not in this case; it turned out to be an extremely profitable move. But it wasn't because a regulator told him to stop, and it wasn't because his customers demanded it. Rather, Patagonia's unexpected success resulted from heavily marketing the decision, the reasoning, and how the new products adhered to the brand. In other words, Chouinard went public. He shouted from the rooftops "We are going to stop using this product, because it harms the rock we love. Instead, we're offering something that works." And customers came in droves.
Medtech: Now's the time to say: "Our bar for quality is high, and cybersecurity is part of quality. From today on, we no longer develop new products that cannot be routinely updated. Wherever feasible, we are going to manage the device security for our consumers instead of adding additional burdens to hospital IT staff. We are committed to doing our part; we commit that our devices do not add to the systemic burden and risk to the healthcare ecosystem."
Here's a shorter version: "From now on, we're only shipping new devices that come with modern security. We're setting the bar for quality where it needs to be for our patients, our customers, and the public good."
My business advice: Now, since you have to do it anyway, make it count:
Draw a line in the sand via company-wide requirements, and hold strong against protests from R&D PMs and business units who will have some replanning to do.
Tell everyone about it. Deploy a marketing campaign, internally and externally.
Live the change. Put it in the QMS, internally audit R&D programs for adherence.
From everything I know, the manufacturers who choose to do it this way will enjoy the win-win*.
~Shannon, the Optimistic Optimizer
* Ps. Research supports this too. This is worth a read: Do Good, by Anne Bahr Thompson
Everything you wrote in this piece - the tie to Patagonia (as an outdoorsman I know his story) Everything - fantastic. Thank you.
Rob Smigielski