FDA can now reject new medical devices over cyber standards

The Food and Drug Administration affirmed Wednesday that medical device manufacturers must now prove their products meet certain cybersecurity standards in order to get the agency’s approval.

The guidelines were laid out in the omnibus appropriations bill signed into law last December, which authorized the FDA to impose security requirements on manufacturers and allocated $5 million to the cause. The rules came into effect on Wednesday — 90 days after the bill was enacted.

The rules pertain to all new medical device applications, but regulators said they will work with companies to help them meet standards until October 1.

Under the law, manufacturers must design and release updates and patches after a product goes to market, provide a software bill of materials, and submit a plan for identifying and addressing “postmarket cybersecurity vulnerabilities.” The rules impact devices that have software and are connected to the internet, for example insulin pumps, blood sugar monitors, and certain pacemakers.

“The medical device industry has never had so many products connected to the internet,” said Tiffany Gallagher, health industries risk & regulatory leader at PwC. “As innovations in healthcare technology continue to grow, these regulations will help ensure that cybersecurity is baked into devices from the very beginning and continues to be a top-of-mind priority beyond the initial implementation.”

The medical industry has been a frequent target of cyberattacks, with 2022 seeing a huge spike in attacks on the sector. Last September, the FBI warned that vulnerabilities in medical devices were leaving the door open for threat actors to exploit them. Researchers cited in the bureau’s white notice found that more than half of all connected medical devices had critical vulnerabilities.

Because the regulations only apply to new products, “it will not alleviate the concerns for currently deployed insecure devices and legacy technologies,” said Danielle Jablanski, operational technology cybersecurity strategist at cybersecurity firm Nozomi Networks.

The focus on device manufacturers is in line with a new government focus on accountability for software makers and industry for defects in products, rather than on users — a point of emphasis of the recently released National Cybersecurity Strategy.

“We are seeing a ‘Shift Left’ strategy to push the responsibilities from the operators of the device to the manufacturers of IoMT [Internet of Medical Things] equipment and devices,” said Chris Warner, operational technology cybersecurity expert at GuidePoint Security.

Additional reporting by Jonathan Greig.