The FDA introduced a new cybersecurity policy for medical devices on 29th March 2023, as part of the Federal Food, Drug, and Cosmetic Act. Medical devices defined as “cyber devices” must now comply with specific cybersecurity requirements, including post-market monitoring, addressing vulnerabilities, and providing updates and patches. The “Refuse to Accept” policy empowers the FDA to reject submissions that fail to meet these standards. The policy comes in response to the rising number of cyberattacks targeting medical devices and aims to ensure patient safety, device performance, and cybersecurity from the initial stages of development. It does not apply retroactively for currently deployed insecure devices and legacy technologies.
Cybersecurity in the connected healthcare ecosystem
Medical devices are increasingly connected to the internet, hospital networks, and other devices to improve healthcare and enable healthcare providers to treat patients more effectively. However, these features also increase potential cybersecurity risks. Medical devices, like other computer systems, can be vulnerable to security breaches, which could impact the safety and effectiveness of the device. The healthcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.
Manufacturers must design and release updates, patches, provide a software bill of materials, and submit a plan for identifying and addressing post-market cybersecurity vulnerabilities. These rules affect devices with software and internet connections, such as insulin pumps, blood sugar monitors, and certain pacemakers. The new focus on device manufacturers aligns with the government’s focus on accountability for software makers and industry for product defects.
Tiffany Gallagher, PwC Health Industries Risk & Regulatory Leader, said to The Record, “As innovations in healthcare technology continue to grow, these regulations will help ensure that cybersecurity is baked into devices from the very beginning and continues to be a top-of-mind priority beyond the initial implementation”.
Addressing the growing cybersecurity threats to medical devices
The medical industry has been increasingly targeted by cyberattacks, with a significant spike in 2022. The FBI warned in September 2022 of vulnerabilities in medical devices, with over 50% of connected devices having critical vulnerabilities. The new regulations aim to address these vulnerabilities and protect patients’ safety and privacy.
Chris Warner, Operational Technology Cybersecurity Expert at GuidePoint Security, said, “We are seeing a ‘Shift Left’ strategy to push the responsibilities from the operators of the device to the manufacturers of IoMT [Internet of Medical Things] equipment and devices”. The FDA’s new policy is a crucial step towards a more secure healthcare ecosystem, benefiting patients, healthcare providers, and manufacturers alike.
While the new policy marks a significant milestone in medical device cybersecurity, it is essential to continue monitoring and addressing cybersecurity risks in the healthcare industry. Collaboration between manufacturers, healthcare providers, and regulators will be crucial to ensure the safety and effectiveness of medical devices in an increasingly connected world.