For the first time there is legislation in the US that requires medical device manufacturers to address the devices’ cybersecurity. The Consolidated Appropriations Act of 2023, which was signed into law in late December, includes provisions requiring medical device manufacturers to document that their products can be updated and patched and to provide a software bill of materials for the devices.
Note
- While this is good news, it only applies to new devices and FDA has only received $5M to fund development of policy, procedures and enforcement efforts. There are almost 1,000 medical device manufacturers in the US alone – $5M is literally less than 1 week’s worth of direct to consumer marketing spending by the medical appliance and equipment sector in the US.
- This moves the security of medical devices from desired to required by statute. The FDA has 180 days to issue premarket guidance for FDA staff and the device industry as well as publish a report identifying challenges in implementing cybersecurity for current and legacy devices within one year.” This is a huge step in the right direction and expect it will be summer or fall before we see medical devices which align with these requirements.
- Requiring device manufacturers to demonstrate ability to patch and update their products is a sufficiently low security bar for them to meet. The importance of product patching can’t be overstated. Over time let’s hope that device manufacturers include additional security safeguards.
Read more in
