The US Food and Drug Administration (FDA) has confirmed plans to require smart health device manufacturers to meet new cybersecurity measures as more IoT medical devices enter the market.
The move (opens in new tab) will also give the FDA approval to enforce new cybersecurity standards and even reject premarket submissions for new medical devices, as of March 29, 2023 – three months after the omnibus appropriations bill was signed into law.
However, the FDA promises to work with and support companies to meet the new standards for another six months, until October 1.
Cyberattacks on medical devices
Medical devices subject to the new regulations include those that are connected to the internet, those that run software, and those that would otherwise be susceptible to cyberattacks.
Numerous subcategories within the smart health market are all going to be affected, including casual users seeking advanced information from smart scales to more serious applications like blood pressure monitors and even pacemakers.
The new law requires manufacturers to respond to threats and vulnerabilities by preparing patches rather than running the same factory version of software for its entire lifespan – a change that will see companies having to invest in more developers and other technical knowledge.
Promising news for consumers, however existing inventory and products already in the hands of millions are unaffected by the bill and are unlikely to be updated accordingly for an array of reasons, including technical and hardware incompatibility and simply a manufacturer’s decision to push new products to market.
Moving forward, it is hoped that the new requirements will help address a previous FBI (opens in new tab) finding that over half (53%) of digital medical devices and other Internet-connected medical devices had known critical vulnerabilities.
