The U.S. Food and Drug Administration (FDA) has confirmed plans to require manufacturers of smart medical devices to meet new cybersecurity measures as more IoT medical devices enter the market.
The carry (opens in a new tab) it will also give the FDA approval to enforce new cybersecurity standards and even reject applications before new medical devices are launched on the market starting March 29, 2023 – three months after the signing of the Collective Measures Act.
However, the FDA promises to work with and support companies in meeting the new standards for the next six months, until October 1.
Cyberattacks on medical devices
Medical devices subject to the new rules include those that are connected to the internet, those that run software, and those that would otherwise be vulnerable to cyberattacks.
Many sub-categories of the smart healthcare market will be affected, including casual users looking for advanced information, from smart scales to more serious applications such as blood pressure monitors and even pacemakers.
The new law requires manufacturers to respond to security threats and vulnerabilities by preparing patches instead of running the same pre-installed version of the software throughout its lifetime – a change that will force companies to invest in more developers and different technical expertise.
Promising news for consumers, however, existing stock and products that are already in the millions of units are not affected by the Act and are unlikely to be properly updated for a number of reasons, including technical and hardware incompatibility and simply the manufacturer’s decision to introduce new products to the market.
Going forward, we hope that the new requirements will help solve the previous ones FBI (opens in a new tab) finding that more than half (53%) of digital medical devices and other internet-connected medical devices had known vulnerabilities.