The United States Food and Drug Administration (FDA) will be taking a stronger stance on the cybersecurity of medical devices and refuse those that do not have protection against cyberattacks.
The agency published a guidance document end of March where it stated it would collaborate with sponsors of premarket submissions as part of the interactive or deficiency review process if they were submitted prior to the March 29 date.
Over half of digital medical devices and internet-connected tools in United States hospitals face cyberattack risks, according to a Federal Bureau Investigation (FBI) report released in 2022.
Each of the medical devices presently on the market has on average 6.2 vulnerabilities to cyberattacks, according to the 2022 FBI report. Security issues led to recalls of insulin pumps and pacemakers since then.
As many as 40 per cent of end-of-life devices have no protection at all against attacks, according to the report.
These health devices include insulin pumps, intracardiac defibrillators and pacemakers, according to the list given by the FBI.
Read more: K92 Mining sets new record with annual revenue of US$188.2M
Read more: Abbott partners with blood center cooperative to introduce mixed reality tech for better blood draws
The FDA places the onus on sponsors to prove devices are safe
The Consolidated Appropriations Act was signed into law on Dec. 29, 2022. Section 3305 of the Omnibus called “Ensuring Cybersecurity of Medical Devices” amended the Food, Drug and Cosmetic Act by adding section 524B, Ensuring Cybersecurity of Devices. The amendments to the act take effect on March 29, 2023.
FDA approval for future digital medical devices will require sponsor’s to provide evidence that their products are safe against cyberattacks. It will also include a submitted plan to monitor, identify and address any vulnerabilities and threats the device may have.
There have been no noted attacks on medical devices yet, but over half of all hospitals have been targeted with ransomware, and this has had a negative effect on patients.
According to a 2022 research report released by healthcare IoT security firm Cynerio, 76 per cent of hospitals have experienced a cyberattack, usually with ransomware were attacked three more or times. Another 47 per cent of these hospitals paid the ransom. Another 43 per cent of hospitals have suffered a data breach in the past two years and finally 24 per cent of hospitals attacked noted a rise in mortality rates.
Previously submitted devices for premarket approval will not receive a refusal to accept from the FDA until Oct. 1, 2023. Instead, the FDA will work with the manufacturers and sponsors to get the relevant information to assess any safety concerns.
The guidance is only valid until 2025. The omnibus bill also requires the FDA to continually update its cybersecurity guidance to keep up with updates to technology and emerging threats.
Follow Joseph Morton on Twitter