Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


IoT Security

FDA Announces New Cybersecurity Requirements for Medical Devices

The FDA is asking medical device manufacturers to provide cybersecurity-related information when submitting an application for a new product.

The US Food and Drug Administration (FDA) will require medical device makers to meet specific cybersecurity requirements when submitting an application for a new product.

Guidance issued by the agency on March 30 explains that the new requirements are part of the Consolidated Appropriations Act signed into law in late 2022, specifically a section titled “Ensuring Cybersecurity of Medical Devices”, which amended the Federal Food, Drug, and Cosmetic Act (FD&C Act).

According to the FDA, submissions for new medical devices will need to include specific cybersecurity-related information, such as the description of a plan for identifying and addressing vulnerabilities and exploits in a reasonable time. 

Companies must also provide details on the processes and procedures for releasing postmarket updates and patches that address security issues, including through regular updates and out-of-band patches in the case of critical vulnerabilities.

The information provided to the FDA must also include a software bill of materials (SBOM) for commercial, open source and off-the-shelf components.

The requirements apply to cyber devices — this is any device that runs software, has the ability to connect to the internet, and could be vulnerable to cyber threats. 

The new cybersecurity requirements do not apply to submissions prior to March 29, 2023, and the FDA will not reject applications solely on this requirement until October 1 — it will provide assistance to companies until that date. However, starting with October 1, the agency may start rejecting premarket submissions that do not contain the required information. 

Advertisement. Scroll to continue reading.

The FDA has also published an FAQ page that provides additional clarifications on the new requirements, as well as links to useful resources. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has been publishing advisories that describe vulnerabilities in medical devices, and a report published earlier this year by industrial cybersecurity firm SynSaber shows that the number of flaws reported in 2022 decreased to 23, from 87 in 2021 and 79 in 2021. 

The FBI issued a notification last year, warning healthcare facilities of the risks associated with unpatched and outdated medical devices.

Related: FDA Approves Use of New Tool for Medical Device Vulnerability Scoring

Related: Canon Medical Product Vulnerabilities Expose Patient Information

Related: Medical, IoT Devices From Many Manufacturers Affected by ‘Access:7’ Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...