FDA Requires Connected Medical Devices to Comply With Cybersecurity Guidelines

The Food and Drug Administration will reject applications seeking a substantive review of connected medical devices if the products fail to meet the agency’s cybersecurity guidelines.

New rules implemented on Sunday under Section 524B of the recently amended Food, Drug, and Cosmetic Act directs medical equipment manufacturers to ensure that products connected to the internet, such as pacemakers and insulin pumps, have security features to prevent malicious cyber actors from accessing the devices, CyberScoop reported.

Sponsors of premarket submissions are required to submit a plan to monitor, identify and address postmarket cybersecurity vulnerabilities; provide a software bill of materials; and ensure that aftermarket updates and patches will be available.

The rule changes were made amid the increasing vulnerabilities in medical devices resulting from unpatched software and insufficient security features. According to an FBI report in 2022, outdated software makes medical devices an attractive target for cyberattacks. 

While the updated regulation could delay a product’s launch for commercial use, some experts said medical device makers should be held more accountable for the security of their products.