To curb hacking, the FDA says that manufacturers must continue to update and patch medical devices following their release to stay on top of cybersecurity standards.

Additionally, they must provide a software bill of materials and have a plan for identifying and addressing “postmarket cybersecurity vulnerabilities,” according to the law.

Any devices that use software and are connected to the internet must meet these guidelines, which took effect on March 29, as part of the $1.7 billion omnibus appropriations bill enacted in December 2022 that allocated $5 million to the cause.
It amends the Federal Food, Drug, and Cosmetic Act (FD&C Act) and aligns medical device designs with the White House's National Cybersecurity Strategy, released in early March, according to The Record.

“We are seeing a ‘Shift Left’ strategy to push the responsibilities from the operators of the device to the manufacturers of IoMT [Internet of Medical Things] equipment and devices,” Chris Warner, operational technology cybersecurity expert at GuidePoint Security, told The Record.

The law only applies to new solutions, not ones already on the market. Regulators will help companies adjust to the new standards until October 1.

Back in September, the FBI identified “an increasing number” of defects that put unpatched medical devices at risk, including running on outdated software, lacking sufficient security features, and being unable to update those features.

Healthcare attacks were 86% higher in 2022 than 2021, with an average of 1,410 weekly per organization, reported cybersecurity software company Check Point.

A study published in September by enterprise security firm Proofpoint’s Ponemon Institute found that cyberattacks on healthcare organizations raised mortality rates by more than 20%.

Health IT Homepage