Under a new law, FDA submissions must prove that medical devices meet cybersecurity standards

Already this year, major medtech makers including BD, Insulet and Zoll Medical have all alerted their customers to cybersecurity vulnerabilities in their medical devices that could potentially compromise sensitive health information or other personal data.

Hoping to prevent any such breaches is the FDA, which will now require medical device makers to submit information about their cybersecurity efforts alongside applications for regulatory clearance of their devices. The new requirements went live Wednesday, as a $1.7 trillion federal omnibus spending bill took effect, though the FDA said in an accompanying guidance that it doesn't intend to begin enforcing them until Oct. 1, at which point devicemakers will "have had sufficient time" to adjust to the guidelines.

The new law updates the Food, Drug and Cosmetic Act to mandate that all regulatory submissions for medical devices include information regarding four core cybersecurity requirements.

For one thing, devicemakers have to submit a plan outlining how they plan to track and address any cybersecurity vulnerabilities that may crop up once their device is already on the market. They’ll also need to put in place internal procedures devoted not only to ensuring that their devices are as cybersecure as possible, but also to quickly rolling out patches and updates as hacking risks are uncovered.

In addition to setting up those internal plans and processes, devicemakers are also now required to include a “software bill of materials” in each of their FDA submissions, detailing every single software component included in a device.

The fourth requirement listed in the bill leaves the door open for future updates to the FDA’s cybersecurity standards, asking that manufacturers “comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.”

Beyond those mandates for individual devicemakers, the bill also requires that the FDA work with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to update its existing guidance on cybersecurity in medical devices within two years, and then to update it periodically after that as needed.

Additionally, within six months of the bill’s enactment this week—and then at least once every year—the FDA must update its online resources to offer the most up-to-date information available about how healthcare providers and devicemakers can spot and address vulnerabilities, and how they can work with the FDA, CISA and other federal agencies to strengthen the security of the devices they build and use.

Meanwhile, the U.S. Comptroller General also has one year to develop a report “identifying challenges in cybersecurity for devices” and offering suggestions for how government agencies can help minimize those challenges for manufacturers, healthcare providers and patients.

The FDA update in the new spending bill—which President Joe Biden signed into law in the final days of 2022—comes in the wake of a flood of reports suggesting that internet-connected medical devices are extremely vulnerable to hackers.

The FBI cited several of those reports in a September analysis (PDF), including data showing that more than half of all connected devices in hospitals contain “known critical vulnerabilities” and that the average medical device comprises more than six possible points of entry for a hacker.

In some cases, as the FBI noted, those bad actors could alter devices to display incorrect readings or even administer drug overdoses, among other methods of tampering with users’ health—especially as critically needed devices like pacemakers, implanted defibrillators and insulin pumps are among the many at risk of being breached.

Editor's note: The first paragraph of this story was updated to clarify that BD's recent cybersecurity alert didn't concern a reported breach, but an identified vulnerability in its Alaris Infusion Central software.