Medical Device Makers Face Increased Cybersecurity Standards From the FDA

A new law from the U.S. Food and Drug Administration will require medical device makers to meet cybersecurity requirements in order to gain regulatory clearance for devices.

The new prerequisites are part of the Consolidated Appropriates Act, 2023 and mandate that medical devices submitted for regulatory approval must provide information on four core cybersecurity requirements.

The requirements are detailed in the Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act guidance and outlined below:

• Submit to the Secretary a plan to monitor, identify and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
• Design, develop and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure. Make available post-market updates and patches to the device and related systems to address, on a reasonably justified regular cycle, known unacceptable vulnerabilities; and, as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.
• Provide to the Secretary a software bill of materials, including commercial, open-source and off-the-shelf software components.
• Comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

In addition, the bill requires the FDA to work with the U.S. Cybersecurity and Infrastructure Security Agency to update existing cybersecurity guidance on medical devices every two years and commit to updating online resources focused on cybersecurity in healthcare, at first within six months of the bill, then at least annually after.

The law comes into effect as concerns over cybersecurity in the healthcare sector are at a fever pitch due to increasing cyber-attacks. A recent report linked a 20% increase in mortality rates to cyber-attacks targeting healthcare organizations.

Additionally, a 2022 FBI report that found 53% of digital and internet-accessible medical devices had known critical vulnerabilities. According to the report, these devices included insulin pumps, intracardiac defibrillators, mobile cardiac telemetry and pacemakers.

While there is a wave of initial skepticism from the healthcare industry due to previous attempts from the FDA to shore up cybersecurity, many industry experts see this law as real change for the for the medical device market, since medical device manufacturers can be blocked from the market for failing to meet the requirements.

The FDA has announced that medical device makers will have a 6-month grace period before they start enforcing the new rule on October 1, 2023.

However, there is still a lot of uncertainty on how the FDA will enforce the new rule on existing devices in the wild – something that will certainly be a hot topic post October 1^st.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.

 To learn more, visit our dedicated Cybersecurity page.