Strengthening Cybersecurity in Medical Devices: New FDA Requirements for Manufacturers
Ensuring Patient Safety through Advanced Security Measures and Compliance
This year, major medtech makers such as BD, Insulet, and Zoll Medical have already alerted their customers to hacking events that may have compromised sensitive health information or other personal data.
To prevent further breaches, the FDA now mandates that medical device makers submit information about their cybersecurity efforts alongside applications for regulatory clearance of their devices. This update to the Food, Drug, and Cosmetic Act stipulates that all regulatory submissions for medical devices must include information regarding four core cybersecurity requirements.
These requirements involve devicemakers submitting a plan outlining how they will track and address any potential cybersecurity vulnerabilities once their device is on the market. They also need to establish internal procedures to ensure devices are as cybersecure as possible, and to quickly roll out patches and updates as hacking risks are uncovered.
Moreover, devicemakers must now include a "software bill of materials" in each FDA submission, detailing every software component within a device. The fourth requirement leaves room for future updates to the FDA's cybersecurity standards, asking manufacturers to comply with additional regulations to demonstrate a reasonable assurance of device and related system cybersecurity.
Beyond these mandates, the bill also requires the FDA to collaborate with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to update its existing guidance on cybersecurity in medical devices within two years and periodically thereafter as needed. Additionally, the FDA must update its online resources every six months to offer the most up-to-date information on how healthcare providers and devicemakers can spot and address vulnerabilities and work with the FDA, CISA, and other federal agencies to strengthen device security.
The U.S. Comptroller General has a year to develop a report identifying challenges in cybersecurity for devices and offering suggestions for how government agencies can help minimize these challenges for manufacturers, healthcare providers, and patients.
The new law comes in the wake of numerous reports suggesting that internet-connected medical devices are extremely vulnerable to hackers. The FBI cited data showing that over half of all connected devices in hospitals contain known critical vulnerabilities, with the average medical device comprising more than six possible entry points for hackers. In some cases, these bad actors could alter devices to display incorrect readings or even administer drug overdoses, potentially compromising the health of users, especially those relying on critical devices like pacemakers, implanted defibrillators, and insulin pumps.