FDA Passes New Cybersecurity Rules for Medical Devices

The Food and Drug Administration (FDA) has introduced new cybersecurity regulations, asking medical device manufacturers to meet specific requirements when registering a new product.

According to theadministration, submissions for new medical devices will now need to include details on the cybersecurity protections for the device, as well as plans for post-release security updates. The requirements specifically target any device that connects to a network and is therefore vulnerable to online attacks.

The new regulations are part of the Consolidated Appropriations Act, which was passed into legislation late last year, specifically the section titled “Ensuring Cybersecurity of Medical Devices.

The FDA said its new powers under recent legislation “represent a significant step forward in the FDA’s role in regulating cybersecurity as part of a medical device’s safety and effectiveness.”

The new regulations are not expected to be enforced until October, at which point the FDA said medical device manufacturers will have had “sufficient time” to adapt to the changes. 

The update comes as the Biden administration has boosted cybersecurity spending, with the 2024 budget planning a $3.1 billion investment into the Cybersecurity and Infrastructure Security Agency, marking a $145 million increase from the current amount. 

It also follows an FBI report in September looking into the vulnerabilities of connected medical devices, with the agency saying more than half of all connected hospital devices contain “known critical vulnerabilities”.