As the number of cyber attacks in healthcare organizations continues to increase, so does the need for proper security measures for medical devices. In September, the Federal Bureau of Investigation reported that more than half of all hospital-connected medical devices had known vulnerabilities. Over 40 percent in the end-of-life stage have installed few or no security patches. This dangerous combination of outdated technology and lack of security puts patient data at tremendous risk.
Changing Regulations from the FDA
The Food and Drug Administration (FDA) has provided multiple guidance documents on cybersecurity in the past. However, these were not legally binding. Congress has authorized the FDA to require manufacturers to provide information on cybersecurity when they apply for product approval or clearance.
This is especially important when the product involves software or internet connectivity. Errors in software or security holes can dramatically affect patient safety, and the FDA must make sure that manufacturers fully understand this risk when developing new products. This change requires manufacturers to adhere to the necessary cybersecurity guidelines for obtaining product approval or authorization.
The legislation was approved in December 2022, making the law effective as of March 29th. This June, the FDA needs to provide an update on how companies are strengthening cybersecurity for their devices, and by December 2024, guidelines for medical device manufacturers must be updated. Moreover, a draft guidance from one year ago also reveals how companies should address concerns involving premarket submission and device life cycles.
Delayed Enforcement of “Refuse to Accept” Letter Policy
Failure to adhere to these policies from the FDA will result in a “refuse to accept” letter. The response will state why an application has been disapproved or hadn’t passed clearance with regulations not met – something that was initially supposed to be enforced starting October 1st this year.
The dates for enforcement have been delayed due to a variety of factors, including a lack of personnel with the necessary skills to promote the appropriate COVID-19 precautions. This means that enforcement will not take place until further notice.
Medical professionals and regulators have identified cyber risk as a major threat to healthcare systems. Organizations must keep up with updates and take extra precautions to ensure their applications meet regulatory requirements. Some rules and regulations have recently been delayed. Despite these pauses, organizations need to remain prepared despite these delays.