The federal government has instituted a new set of federal guidelines regarding the cyber vulnerabilities of medical devices. This includes new guidelines that allow the FDA to "not accept" devices that are at risk for cybersecurity breaches.
The new guidelines allow the agency to vet all new devices as well as recall those determined to be at risk for cyber vulnerabilities. This requires all vendors to update software, marketing materials, and to have a plan to actively "monitor, identify and address cyber vulnerabilities" on any devices currently on the market.
The gravest concern is the threat of hackers taking control of these devices remotely - putting patients' lives in jeopardy. Addressing cybersecurity in the medical field has been an area of concern for some time now, with many calling for more government "policing". Christian Vasquez, "FDA cyber mandates for medical devices goes into effect", www.cyberscoop.com (Oct. 02, 2023).
Commentary
The September 27, 2023, guidelines are in response to the growing number of attacks in the healthcare and life science industries. The guidance is broad and includes all devices with a software function, which contain software or programmable logic, and are network-enabled are included – from thermometers to advanced diagnostic devices.
The guidelines call for more device labeling – it should include an accurate description of the device's cyber risks, understandable by the "average user". Potential fines, injunctions, civil and criminal penalties can result from a failure to include proper cyber warnings on the label.
On November 02, 2023, the FDA is holding a webinar at 1:00 p.m. ET for industries and stakeholders who want to learn more about the guidance.
