FDA can now reject new medical devices over cyber standards
March 29, 2023 – Published on The Record
The Food and Drug Administration affirmed Wednesday that medical device manufacturers must now prove their products meet certain cybersecurity standards in order to get the agency’s approval.
The guidelines were laid out in the omnibus appropriations bill signed into law last December, which authorized the FDA to impose security requirements on manufacturers and allocated $5 million to the cause. The rules came into effect on Wednesday — 90 days after the bill was enacted.
The rules pertain to all new medical device applications, but regulators said they will work with companies to help them meet standards until October 1.
Under the law, manufacturers must design and release updates and patches after a product goes to market, provide a software bill of materials, and submit a plan for identifying and addressing “postmarket cybersecurity vulnerabilities.” The rules impact devices that have software and are connected to the internet, for example insulin pumps, blood sugar monitors, and certain pacemakers.
“We are seeing a ‘Shift Left’ strategy to push the responsibilities from the operators of the device to the manufacturers of IoMT [Internet of Medical Things] equipment and devices,” said Chris Warner, operational technology cybersecurity expert at GuidePoint Security.
Read More HERE.