The core competency of healthcare is healthcare. Whether innovating new clinical treatments, enabling data sharing across a care team or discovering novel ways to enhance the quality of life, healthcare knows clinical care. The challenge faced in prioritizing medical device-based cybersecurity is that the buyers of medical devices haven’t been able to push for it as part of their purchase criteria.
See what people are saying about our advancements towards a more secure future of healthcare.
On March 29, 2023, the FDA has issued a new final guidance on the Refuse to Accept (RTA) policy relating to cybersecurity in medical devices, specifically for “Cyber Devices” as defined in the newly-amended FD&C Act (Section 524B). In mapping its guidance to the new statutory authority, the FDA specifies what is expected when a submission is provided to the agency for review.
On Dec 29, President Biden signed into law a $1.7 trillion omnibus spending bill that has significant implications for healthcare as well as for how security for medical devices are regulated and enforced. Manufacturers must now include evidence of security controls and security testing, as well as plans to maintain device’s security posture through updates and patches, all supported by documented evidence, e.g., a software bill of materials for commercial, open-source, and off-the-shelf software components.
Cybersecurity used to be seen as a compliance initiative in healthcare but has become a patient safety and business imperative in recent years. For MDMs, tying market delays and metrics to a lack of security will inspire faster action. For HDOs, assessing strategies for incoming devices can start to shift the tide in how risks expand.