Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

FDA Announces New Cybersecurity Requirements for Medical Devices

The FDA is asking medical device manufacturers to provide cybersecurity-related information when submitting an application for a new product.

The US Food and Drug Administration (FDA) will require medical device makers to meet specific cybersecurity requirements when submitting an application for a new product.

Guidance issued by the agency on March 30 explains that the new requirements are part of the Consolidated Appropriations Act signed into law in late 2022, specifically a section titled “Ensuring Cybersecurity of Medical Devices”, which amended the Federal Food, Drug, and Cosmetic Act (FD&C Act).

According to the FDA, submissions for new medical devices will need to include specific cybersecurity-related information, such as the description of a plan for identifying and addressing vulnerabilities and exploits in a reasonable time. 

Companies must also provide details on the processes and procedures for releasing postmarket updates and patches that address security issues, including through regular updates and out-of-band patches in the case of critical vulnerabilities.

The information provided to the FDA must also include a software bill of materials (SBOM) for commercial, open source and off-the-shelf components.

The requirements apply to cyber devices — this is any device that runs software, has the ability to connect to the internet, and could be vulnerable to cyber threats. 

The new cybersecurity requirements do not apply to submissions prior to March 29, 2023, and the FDA will not reject applications solely on this requirement until October 1 — it will provide assistance to companies until that date. However, starting with October 1, the agency may start rejecting premarket submissions that do not contain the required information. 

The FDA has also published an FAQ page that provides additional clarifications on the new requirements, as well as links to useful resources. 

Advertisement. Scroll to continue reading.

The US Cybersecurity and Infrastructure Security Agency (CISA) has been publishing advisories that describe vulnerabilities in medical devices, and a report published earlier this year by industrial cybersecurity firm SynSaber shows that the number of flaws reported in 2022 decreased to 23, from 87 in 2021 and 79 in 2021. 

The FBI issued a notification last year, warning healthcare facilities of the risks associated with unpatched and outdated medical devices.

Related: FDA Approves Use of New Tool for Medical Device Vulnerability Scoring

Related: Canon Medical Product Vulnerabilities Expose Patient Information

Related: Medical, IoT Devices From Many Manufacturers Affected by ‘Access:7’ Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...