The rapid evolution of medical devices empowered by breakthrough advancements in their baked-in technology has made it a struggle for cybersecurity considerations to keep pace. To this end, the FDA has once again chimed in with updated guidance on the matter in the interest of safeguarding the sensitive information that is key to keeping healthcare systems running. The new guidance is centered on protecting commonly used medical devices such as insulin pumps and heart monitors that are particularly prone to hacking. As opposed to past guidelines from the FDA, which have often been viewed as ineffectual or altogether behind the learning curve, experts agree that this iteration might have “real teeth.”
The guidance puts into place a rule that all medical device manufacturers must submit "a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities, and exploits" in addition to installing processes and procedures to affirm that “device[s] and related systems are cybersecure." Also included are requirements for regular, cycle-to-cycle, cybersecurity-minded patches, as well as an up-to-date software bill of material for every device.
The startlingly high presence of legacy IT and unsegmented, flat networks found in recent in-house evaluations has helped lay bare the vulnerabilities in modern health networks, and the lack of tailor-made security systems to cover the expansive variety of technology used in the industry all but begs for momentous change.
The FDA’s keener eye in this area is backed by the late-2022 Consolidated Appropriations Act, or Omnibus bill, signed into law by President Biden. Its Section 3305 requires "ensuring cybersecurity of medical devices" in an amendment to the Federal Food, Drug, and Cosmetic Act (FFDCA), and recently took effect after a three-month waiting period. The FDA has given medical device manufacturers twice that amount of time, starting now, to get their cybersecurity solutions up to snuff.
