An omnibus appropriations bill that was signed into law by President Biden last year has now granted the U.S. FDA the power to confirm that medical devices meet specific cybersecurity standards before coming to market. Devices such as connected insulin pumps, blood sugar monitors, smart watches, and more, will be reviewed.
The Food and Drug Administration will now require medical devices meet specific cybersecurity guidelines after years of concerns that a growing number of internet-connected products used by hospitals and healthcare providers could be hit by hacks and ransomware attacks.
Under FDA guidance issued this week, all new medical device applicants must now submit a plan on how to “monitor, identify, and address” cybersecurity issues, as well as create a process that provides “reasonable assurance” that the device in question is protected. Applicants will also need to make security updates and patches available on a regular schedule and in critical situations, and provide the FDA with “a software bill of materials,” including any open-source or other software their devices use.
The new security requirements came into effect as part of the sweeping $1.7 trillion federal omnibus spending bill signed by President Joe Biden in December. As part of the new law, the FDA must also update its medical device cybersecurity guidance at least every two years.
Read the full article at CNN.
The “FDA Requires Medical Devices be Secured …” article is misleading because this FDA guidance is NOT LEGALLY ENFORCEBALE, as stated in the third paragraph of the actual document …
“In general, FDA’s guidance documents do not establish legally enforceable responsibilities. Instead, guidances describe the Agency’s current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word should in Agency guidances means that something is suggested or recommended, but not required.”