For the last decade, healthcare provider organizations have borne the brunt of securing the expansive, complex medical device ecosystem. And most of even the best-equipped health systems struggle (and don’t) close all medical device security risks.
But all that may soon change, at least for premarket device submissions.
The sweeping $1.7 trillion omnibus package passed in December 2022 included measures that give the FDA new authorities to establish medical device security requirements for manufacturers, which has led to overwhelming praise from the healthcare sector.
The omnibus included “long desired FDA authorities” previously left out of the continuing resolution, said Carter Groome, CEO of First Health Advisory. Some of these requirements for premarket submissions were included in the Protecting and Transforming Cyber Health Care (PATCH) Act, which heralded broad support from industry stakeholders.
The last FDA appropriations bill passed in September without PATCH Act elements, despite overwhelming bipartisan support — much to the chagrin of medical device security leaders. The Consolidated Appropriations Act of 2023 includes some, but not all, of the language of the PATCH Act.
“Although watered down from PATCH Act asks, it’s a big step forward for health sector resilience and ultimately the safety of people reliant on the integrity and availability of medical devices,” said Groome, who’s also a post-market medical device security advisor and member of the Health Sector Coordinating Council (HSCC).
But even the smallest step in healthcare cybersecurity is a huge win for provider organizations.
Read the full article HERE
UPDATE: FDA will refuse new medical devices for cybersecurity reasons on Oct. 1
The Food and Drug Administration announced March 29 that it will begin to “refuse to accept” medical devices and related systems over cybersecurity reasons beginning Oct.
All new device submissions must include detailed cybersecurity plans beginning March 29.
As such, device manufacturers will need to submit plans to monitor, identify and address in a "reasonable timeframe" any determined post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosures and plans.
Developers must now design and maintain procedures able to show, with reasonable assurance, “that the device and related systems are cybersecure” and create post-market updates and patches to the device and connected systems that address “on a reasonably justified regular cycle, known unacceptable vulnerabilities,” according to the guidance.
If discovered out-of-cycle, the manufacturer must also make public “critical vulnerabilities that could cause uncontrolled risks,” as soon as possible.
Read the full article HERE