FDA Cybersecurity Requirements for Medical Devices Now in Effect
Ensuring medical devices are cybersecure is one of the biggest security challenges in healthcare. Medical devices often have unpatched vulnerabilities, run on outdated software that has reached end-of-life, and lack appropriate security features. As such, they are a security weak point that can be exploited by malicious actors to gain access to healthcare networks and sensitive patient data.
According to the FBI, more than half of all medical devices used by hospitals have critical vulnerabilities that have not been addressed and, on average, medical devices have more than 6 vulnerabilities that could potentially be exploited by malicious actors. More than 40% of medical devices are at end-of-life and have little to no opportunities for security patches or upgrades.
Steps are being taken to improve the cybersecurity of medical devices. Device manufacturers will soon be required to incorporate adequate cybersecurity measures and will need to develop and implement a plan for addressing vulnerabilities throughout the lifecycle of the devices otherwise the U.S. Food and Drug Administration (FDA) will not authorize their use.
On Wednesday, March 29, 2023, the medical device cybersecurity requirements of the $1.7 trillion omnibus spending bill – The Consolidated Appropriations Act, 2023 – took effect and the FDA now requires all regulatory submissions for medical devices to include information about the cybersecurity measures that have been implemented for the devices. Section 3305 of the Omnibus bill — Ensuring Cybersecurity of Medical Devices — amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. This requirement took effect 90 days after the enactment of the Act on December 29, 2022, which means premarket submissions submitted to the FDA after March 29, 2023, require information to be included about the cybersecurity of medical devices.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In a guidance document for FDA staff, the FDA said it does not intend to issue refuse to accept (RTA) decisions for premarket submissions that fail to include the required information on cybersecurity until after October 1, 2023. This will give sponsors of medical devices sufficient time to prepare the necessary information; however, after that date, the FDA will no longer accept applications and submissions that lack the required cybersecurity elements. In the meantime, the FDA will work with applicants to fix any defects in their documentation.
The sponsor of an application or submission must confirm compliance with four core cybersecurity requirements:
- A plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
- Processes and procedures that ensure devices are cybersecure, which includes issuing updates and patches promptly when the devices are on the market to address known unacceptable vulnerabilities and critical vulnerabilities that could cause uncontrolled risks.
- A software bill of materials, including commercial, open-source, and off-the-shelf software components.
- Comply with such other requirements that may be added through regulation to demonstrate reasonable assurances that devices and related systems are cybersecure.
The FDA will work with the Cybersecurity and Infrastructure Security Agency (CISA) to update its guidance on cybersecurity for medical devices within the next two years and will update its online resources within 6 months, and then at least annually, on how healthcare providers and device makers can identify and address vulnerabilities and work with the FDA and other government agencies to strengthen the security of medical devices.
