FDA to reject new medical devices for lack of cybersecurity
US Food and Drug Administration (FDA) confirmed that medical device manufacturers product manufacturers must now prove that their products meet certain cybersecurity standards in order to receive approval from the agency.
These rules were laid out in a general appropriations bill signed last December that authorized the FDA to set safety requirements for manufacturers and provided $5 million for the cause. The rules have already entered into force and apply to all new applications of medical devices.
Under the law, manufacturers must design and release updates and patches after a product goes to market, provide a software bill of materials, and submit a plan for identifying and addressing “postmarket cybersecurity vulnerabilities.” The rules impact devices that have software and are connected to the internet, for example insulin pumps, blood sugar monitors, and certain pacemakers.
“The medical device industry has never had so many products connected to the internet,” said Tiffany Gallagher, health industries risk & regulatory leader at PwC. “As innovations in healthcare technology continue to grow, these regulations will help ensure that cybersecurity is baked into devices from the very beginning and continues to be a top-of-mind priority beyond the initial implementation.”
The healthcare industry is a frequent target of cyberattacks, and in 2022 there was a sharp surge in attacks on this sector. Last September, the FBI warned that medical devices remain vulnerable to hackers. Researchers cited by the FBI found that more than half of all networked medical devices have critical vulnerabilities.
Because the rules only apply to new products, they will not alleviate concerns about existing insecure devices and outdated technologies.