The FDAs Medical Device Cybersecurity Overhaul Has Real Teeth, Experts Say

The physical and cyber safety issues surrounding medical devices like IV pumps is finally being meaningfully addressed by a new policy taking effect this week.

The Food and Drug Administration (FDA) this week put into effect fresh guidance concerning the cybersecurity of medical devices — long a concerning area of risk for healthcare organizations and patients alike. The policy is one in a long line of attempts by the FDA to put some guardrails around the susceptibility of things like insulin pumps and heart monitors to hacking, and experts say that this time, the FDAs move might actually make a difference.
Effective immediately, medical device manufacturers are advised to submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits.
Manufacturers are also asked to design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure. This includes making patches available on a reasonably justified regular cycle, and for newfound critical vulnerabilities, as soon as possible out of cycle.
And finally, the
FDA is asking
that new devices come prepared with a
software bill of materials (SBOM)
.
For some, FDA guidance may evoke memories of
prior actions
that
failed to improve cybersecurity
in this critical area in any real way. But experts say this long road has finally reached a real, genuine inflection point. Starting now, new medical devices that dont meet these standards will be blocked from the market.
Its actually been a process thats taken place over approximately the last 10 years, says Cybellum CMO David Leichner. And it came to fruition two days ago.
Medical device security
has been an alarmingly lagging area for cybersecurity for a very long time, and theres a laundry list of reasons why. Healthcare facilities often use legacy IT and have flat networks that arent segmented, for instance — even as medical devices for patients are increasingly connected. And
security by design
isnt common.
A medical device manufacturer may be very experienced in designing highly reliable and innovative devices, but they may not necessarily be security experts, explains Axel Wirth, chief security strategist at MedCrypt.
In fact, the most cutting-edge medical equipment sometimes introduces new security problems that the old stuff never had. Internet connectivity brings a slew of benefits to providers, but also
opportunities for hackers
. In the
State of Healthcare IoT Device Security 2022 report
, healthcare IoT firm Cynerio found that more than half of all connected medical devices are vulnerable, including, for example, nearly three out of every four IV pumps.
Thus, cybercriminals can easily break in and run rampant across a hospital network, reaching whatever endpoints they choose, including these life-saving devices. This could have potential physical consequences for patients if a device is vulnerable to takeover by an unauthorized user. The risk isnt theoretical: A
September 2022 report by Proofpoints Ponemon Institute
linked a 20% increase in mortality rates to cyberattacks targeting healthcare organizations.
This is all exacerbated by the fact that when bugs are discovered, device manufacturers have a terrible track record of issuing patches in a timely manner (as is the case for most IoT gear), and healthcare settings have an even more terrible track record of implementing them.
One reason [for the insecurity] is that these devices live longer, Wirth points out. Because theyre designed to last a while — which is otherwise a positive thing — they may be outdated or running outdated software, and any
operational technology (OT)
that is not necessarily up to date is more difficult to maintain. Its more difficult to deploy patches; its more difficult to find time during hospital operations to update the device.
Considering the ubiquity of
security failures in the industry
, coupled with the massive consequences at stake in the event of a breach, many have urged the government to do more than offer suggestions for addressing the problems.
On Dec. 29, President Biden signed into law the
Consolidated Appropriations Act
, also known as the Omnibus bill, which included Section 3305 — Ensuring cybersecurity of medical devices — an amendment to the
Federal Food, Drug, and Cosmetic Act
. It took effect on Thursday, 90 days after the Omnibus passing.
So what happens now? It takes time for manufacturers to change their processes and for new products to integrate new rules and regulations (to say nothing of how healthcare, in general, moves more slowly than other industries, by necessity). The FDA has arranged for a six-month window — until Oct. 1 — for manufacturers to get used to the new rules of the road.
From now until then, the FDA will work collaboratively with manufacturers to ensure compliance, the agency clarified in an
accompanying notice
. Once Oct. 1 hits, FDA expects that sponsors of such cyber devices will have had sufficient time to prepare. At that point, they will begin issuing refuse to accept (RTA) decisions to prevent any devices that dont meet the stated standards from reaching the market.
Manufacturers are asking: When does this hit us?, Naomi Schwartz, MedCrypts senior director of cybersecurity quality and safety, explains. And the FDA is clarifying: Were not going to start refusing to accept until October, so that you have time to update all of your documentation and relieve a little bit of pressure and fear. But no kidding, you guys better get your stuff ready in the next six months, because its coming.
What remains to be seen is how the FDA will enforce its rules after a device is released to the public. Preventing a machine from reaching hospitals is one thing, but ensuring that vendors meet so many of the other requirements outlined in these guidelines — like regular monitoring, consistent patching, and responsible vulnerability disclosure — requires never-ending oversight.
This is definitely going to increase the overhead of the FDA, Cybellums Leichner figures. Itll be interesting to see how they go about this.
Even once manufacturers start turning out gear thats in compliance with the policy, an overhaul of healthcare device cybersecurity will take a while.
Medical devices can be very pricey, Wirth points out, and replacing medical devices in hospitals requires budget, requires training. Sometimes it requires even changes in building and infrastructure. So itll take a number of years. Section 3305 assigns no deadline for healthcare providers to replace their existing legacy equipment.
Still, he says, I think we are already seeing better secure devices arrive in the market, especially since the US isnt the only place to
start demanding security hardening
of the devices.
Even though the FDAs policy might take a while to bear real fruit (and its too soon to know for certain), we may look back on 2023 as a watershed for the industry.
This is going to help FDA staff, its going to help the industry, its going to motivate people to stop kicking the can down the road and start buckling down now, MedCrypt’s Schwartz concludes. Its pretty cool.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
The FDAs Medical Device Cybersecurity Overhaul Has Real Teeth, Experts Say