The FDA won’t approve medical devices vulnerable to cyberattack

The FDA won’t approve medical devices vulnerable to cyberattack

The majority of digital medical devices (53%) in the US, as well as internet-connected tools in hospitals, are at risk of cyberattack, according to a 2022 FBI report.

The US Food and Drug Administration (FDA) wants to change that, and has published new approval guidance that addresses the issue. Starting March 29, following directives contained in the federal omnibus spending bill, the FDA will reject applications for any cyber medical device that does not include a cyberattack protection plan.

The agency defines a cyber medical device as any medical device that has software capability or can be connected to the internet.

Most digital medical devices are vulnerable to attack

According to the 2022 FBI report, each of the medical devices currently on the market has on average 6.2 vulnerabilities to cyberattacks, and there have been recalls for insulin pumps and pacemakers that were found to have particularly serious security issues. For end-of-life devices, as many as 40% of devices have no protection at all against attacks, the report found.

This means that a large number of health devices, many of which are lifesaving, are susceptible to attack. The list provided by the FBI included insulin pumps, intracardiac defibrillators, and pacemakers. “Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health,” said the report.

While such direct attacks have not yet occurred, about half of all hospitals have been targeted with ransomware, and nearly as many believe the attacks ended up affecting their patients’ care, too.

What comes next for digital medical device security?

Going forward, FDA approval of digital medical devices will depend on their sponsors providing evidence that their products are reasonably safe against cyber attacks, and submitting a plan to “monitor, identify, and address” any vulnerabilities and threats.

Until Oct. 1, 2023 , devices that have already been submitted for premarket approval before will not receive a refusal to accept from the FDA, which will instead work with the manufacturers and sponsors to obtain relevant information to assess their safety.

The guidance is only valid until 2025 at the latest, as the omnibus bill requires the FDA to update its cybersecurity guidance every two years at the most, to keep up with updates in threats and technology.