The US Food and Drug Administration (FDA) will require medical device makers to meet specific cybersecurity requirements when submitting an application for a new product.
Guidance issued by the agency on March 30 explains that the new requirements are part of the Consolidated Appropriations Act signed into law in late 2022, specifically a section titled “Ensuring Cybersecurity of Medical Devices”, which amended the Federal Food, Drug, and Cosmetic Act (FD&C Act).
According to the FDA, submissions for new medical devices will need to include specific cybersecurity-related information, such as the description of a plan for identifying and addressing vulnerabilities and exploits in a reasonable time.
Companies must also provide details on the processes and procedures for releasing postmarket updates and patches that address security issues, including through regular updates and out-of-band patches in the case of critical vulnerabilities.
The information provided to the FDA must also include a software bill of materials (SBOM) for commercial, open source and off-the-shelf components.
The requirements apply to cyber devices — this is any device that runs software, has the ability to connect to the internet, and could be vulnerable to cyber threats.
The new cybersecurity requirements do not apply to submissions prior to March 29, 2023, and the FDA will not reject applications solely on this requirement until October 1 — it will provide assistance to companies until that date. However, starting with October 1, the agency may start rejecting premarket submissions that do not contain the required information.
The FDA has also published an FAQ page that provides additional clarifications on the new requirements, as well as links to useful resources.
The US Cybersecurity and Infrastructure Security Agency (CISA) has been publishing advisories that describe vulnerabilities in medical devices, and a report published earlier this year by industrial cybersecurity firm SynSaber shows that the number of flaws reported in 2022 decreased to 23, from 87 in 2021 and 79 in 2021.
The FBI issued a notification last year, warning healthcare facilities of the risks associated with unpatched and outdated medical devices.
Related: FDA Approves Use of New Tool for Medical Device Vulnerability Scoring
Related: Canon Medical Product Vulnerabilities Expose Patient Information
Related: Medical, IoT Devices From Many Manufacturers Affected by ‘Access:7’ Vulnerabilities