The US Food and Drug Administration (FDA) is set to take a stricter stance on medical device cybersecurity starting in October. Previously, medical device manufacturers were given a grace period to comply with new cybersecurity regulations aimed at strengthening device security against cyberattacks.
However, beginning on October 1st, the FDA will end this grace period and begin rejecting medical devices that lack adequate cybersecurity controls and a post-market patching plan. Manufacturers must now submit plans for monitoring and patching post-market cybersecurity vulnerabilities, have secure device design processes in place, and provide a software bill of materials (SBOM) to the FDA, or risk having their devices rejected due to cybersecurity risks.
This focus on medical device cybersecurity is a result of Congressional legislation passed in December 2022, which required medical device manufacturers to submit cybersecurity information regarding any cyber device to the FDA. The FDA’s new powers, which became effective in March, are expected to compel medical device makers to consider and plan for vulnerabilities and cyberattacks more seriously.
Despite longstanding concerns among cybersecurity experts about the vulnerability of medical devices, manufacturers have been slow to adopt cybersecurity measures. A demonstration of the ability to hack an insulin pump in 2011 and major ransomware attacks on hospitals have highlighted the weaknesses in the sector.
The FDA’s allocation of $5 million of its budget to medical device cybersecurity reflects the severity of the issue, as unchecked cybersecurity threats could severely disrupt healthcare delivery.
However, some critics argue that while the new legislation is a positive step, it lacks specificity in certain areas. For instance, there is no provision addressing legacy devices, some of which are 15 years old and among the most vulnerable.
Additionally, there is a call for industry experts to determine best practices for securing medical devices rather than relying solely on government regulation. Despite these concerns, the FDA’s heightened focus on medical device cybersecurity aims to protect both patients and the healthcare system from cyber threats and vulnerabilities.