US: 5 things to know about new cybersecurity rules for medical devices

New rules now require medical device makers to meet specific cybersecurity criteria to gain FDA approval

Image by Pete Linforth from Pixabay

The U.S. Food and Drug Administration (FDA) has established new rules that require medical device makers to meet particular cybersecurity criteria in order to gain FDA approval for new products.

Here are five key points:

• The new guidelines, which took effect today, apply to all new medical device applications and are intended to ensure that cybersecurity is built into devices from the get go.
• Manufacturers must certify that their products fulfill cybersecurity requirements and offer updates and patches, as well as present a strategy for finding and correcting “postmarket cybersecurity vulnerabilities.”
• The rules apply to devices containing software that are connected to the internet, such as insulin pumps, blood sugar monitors and pacemakers.
• It’s important to note that such guidelines do not apply to presently deployed devices or legacy technology.
• The FDA’s focus on device manufacturers aligns with a new government emphasis on the software industry and accountability for product defects.

Hopefully, this action will improve the security of devices that are increasingly being targeted in cyberattacks. Of course, there are tons of older/legacy tech out there, hence the impact of the new guidelines might take some time to be truly felt.

This story was first published on The PhilaVerse (my Substack newsletter).