The US Food and Drug Administration (FDA) has issued guidance stating that medical device manufacturers will need to comply with specific cybersecurity requirements when applying for new product approval. The new requirements, a part of the Consolidated Appropriations Act that became law in late 2022, include submitting cybersecurity-related information such as plans to identify and address vulnerabilities, processes and procedures for releasing security patches, and a software bill of materials (SBOM) for all components.
These requirements apply to any device vulnerable to cyber threats that can connect to the internet and runs software.
The FDA will not reject pre-existing submissions based solely on the new cybersecurity requirements until October 1, 2023. The agency will provide companies with assistance until that date. From October 1, the FDA may start rejecting pre-market submissions that do not include the required information.
An FAQ page that provides further guidance and useful resources is also available.
CISA, the US Cybersecurity and Infrastructure Security Agency, has been publishing advisories on medical device vulnerabilities, and a SynSaber report showed that the number of flaws reported in 2022 decreased to 23 from 87 and 79 in the previous two years. The FBI previously warned healthcare facilities about the risks associated with unpatched and outdated medical devices.
These measures demonstrate the importance of medical device cybersecurity and the need for all stakeholders to cooperate to maintain device security.
