The Food and Drug Administration will now require medical devices meet specific cybersecurity guidelines after years of concerns that a growing number of internet-connected products used by hospitals and healthcare providers could be hit by hacks and ransomware attacks.
Under FDA guidance issued this week, all new medical device applicants must now submit a plan on how to “monitor, identify, and address” cybersecurity issues, as well as create a process that provides “reasonable assurance” that the device in question is protected. Applicants will also need to make security updates and patches available on a regular schedule and in critical situations, and provide the FDA with “a software bill of materials,” including any open-source or other software their devices use.
The new security requirements came into effect as part of the sweeping $1.7 trillion federal omnibus spending bill signed by President Joe Biden in December. As part of the new law, the FDA must also update its medical device cybersecurity guidance at least every two years.
A 2022 report released by the FBI cited research finding 53% of digital medical devices and other internet-connected products in hospitals had known critical vulnerabilities. The report listed a number of medical devices that are susceptible to cyber attacks, including insulin pumps, intracardiac defibrillators, mobile cardiac telemetry and pacemakers.
“Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health,” according to the FBI report.
In 2021, a group of researchers investigating software used in medical devices and machinery used in other industries found over a dozen vulnerabilities that, if exploited by a hacker, could cause critical equipment such as patient monitors to crash.
The FDA has faced criticisms over the years for not doing enough.
A 2018 report from the US Department of Health and Human Services’ Office of the Inspector General said the FDA was not adequately protecting devices from getting hacked.
“FDA had plans and processes for addressing certain medical device problems in the postmarket phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises,” the report said.