New Law Enables FDA to Regulate Medical Device Cybersecurity

The new law requires manufacturers of medical devices to ensure that their equipment and related systems are cybersecure.

New Law Enables FDA to Regulate Medical Device Cybersecurity

Photo via Adobe, by terovesalainen

For years now, healthcare providers have been struggling with the cybersecurity issues posed by medical devices. One study released in December found that internet-connected medical devices have a 24% greater risk for cyberattacks.

However, a new federal law passed late last year offers some relief.

The Food and Drug Administration (FDA) now has the authority and $5 million to establish security requirements for pre-market medical devices. The new law requires the manufacturers of internet-connected medical machines to reasonably ensure that their equipment and related systems are cybersecure, reports Lawfare.

That means that all medical device submissions will soon be required to include a software bill of materials and evidence that demonstrates the product can be updated with software patches, reports SC Media.

The move is being applauded by much of the healthcare industry and cybersecurity community. However, the new law only applies to pre-market devices that are waiting for FDA approval. It’s also unclear when manufacturers will be required to comply with the new rules.

The cyber risks posed by medical equipment has been widely known for years. Back in 2015, security researchers warned hospitals and the public that thousands of medical devices were vulnerable to hacking. That equipment included MRI scanners, X-ray machines, and drug infusion pumps.

In 2020, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to hospitals and other healthcare facilities about dozens of GE Healthcare imaging and ultrasound products used for CT scans, MRIs, mammograms, ultrasounds, and positron emission tomography.

In late 2021, the FDA warned healthcare providers that widespread cybersecurity vulnerabilities in commonly used software could affect medical devices by allowing unauthorized users to take control. Other warnings have been issued over the years regarding the cybersecurity issues related to defibrillators, pacemakers.

The medical device security issues add to a growing list of cybersecurity challenges facing healthcare. According to one report, last year nearly 300 U.S. hospitals were impacted by ransomware attacks.

Cybersecurity breaches can result not only in the unauthorized sharing and use of patient and employee information, they can negatively affect patient care.

About the Author

Robin Hattersley Gray
Contact:

Robin has been covering the security and campus law enforcement industries since 1998 and is a specialist in school, university and hospital security, public safety and emergency management, as well as emerging technologies and systems integration. She joined CS in 2005 and has authored award-winning editorial on campus law enforcement and security funding, officer recruitment and retention, access control, IP video, network integration, event management, crime trends, the Clery Act, Title IX compliance, sexual assault, dating abuse, emergency communications, incident management software and more. Robin has been featured on national and local media outlets and was formerly associate editor for the trade publication Security Sales & Integration. She obtained her undergraduate degree in history from California State University, Long Beach.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Online Summit Promo Campus Safety HQ