New Law Gives FDA Regulatory Authority Over Medical Device Cybersecurity


As we shift ever further into the digital age, more and more medical devices are leveraging internet connectivity. This connectivity helps devices make leaps and bounds in healthcare analytics, diagnostics, and ultimately patient care. With innovation, however, comes risk. In this case, connecting sensitive medical instruments to the internet leaves them vulnerable to cyberattacks. Cyberattacks could ultimately cause patients harm, as well as cause massive financial damage to healthcare organizations. With such risks presenting themselves, the federal government passed a law allowing the FDA to regulate this growing side of medical technology. This also opens the floodgates for new types of risks and adverse events for which quick and proper medical device reporting will be crucial.

The FDA’s New Authority & What It Means For The Industry

With the new law put into effect, the FDA obtained the authority to establish new security protocols surrounding cybersecurity. The federal government also gave the FDA $5 million. The funds will not only help them establish said security requirements but to have the resources necessary for enforcing them. This law is contained in the appropriations bill and went into effect with president Biden’s sign-off near the end of 2022. It requires manufacturers of medical devices with internet connectivity to ensure within reason that their devices uphold cybersecurity standards. Medical devices with internet connectivity from here on out will need to include a list of materials and evidence showing the device is updatable through software patches.

With more FDA regulations surrounding the cybersecurity aspect of medical device safety and reporting a shift in information and responsibility is sure to take place soon. Note that the new law applies only to medical devices not yet on the market and still waiting on FDA approval. This means that internet-connected medical devices out on the market already are not subject to it. How soon manufacturers will be held to these new security requirements, however, is still unclear. One factor determining it is the effectiveness of some manufacturers petitioning for delays in the date for the law to take effect.

What Risks Will Surface & How Medical Device Reporting Can Mitigate Them

Some manufacturers may seem taken aback by the FDA’s crackdowns on digital security. However, cybersecurity is hardly a new issue in the healthcare field. In fact, healthcare organizations have dealt with cybersecurity concerns arising from medical devices connected to the internet. A survey of healthcare IT professionals conducted by Capterra shows just how dire this concern is becoming. Organizations also stay vulnerable for longer until the law goes into effect as medical device reporting doesn’t cover this problem

The survey reports that 75% of healthcare organizations have experienced a cyberattack. 41% of which experienced more than one attack. Almost half of these cyberattacks managed to impact patient care, while 67% of them impacted private patient healthcare information.

As if this wasn’t enough to spring organizations into action, it’s likely to get worse. The study shows a significant connection between the amount of internet-connected devices an organization has and the number of cyberattacks it suffers. If the past two decades are any indication, organizations overall will likely have many more medical devices with internet connectivity by the end of the decade.

More chances for cybersecurity attacks means more negative effects on patient health and information. Manufacturers and user facilities will need to stay vigilant to curb these risks. Yet cybersecurity will remain subject to the manufacturer’s goodwill as it isn’t covered under the FDA’s jurisdiction until the law goes into effect. Once it does, however, relevant organizations can take advantage of medical device reporting to raise red flags on cybersecurity vulnerability.

How Your Organization Can Take Advantage Of This Industry Shift

Once the FDA is officially able to regulate cybersecurity requirements on medical devices, medical device reports will come flooding in. If the past is any indication, the number of reports to process and act on will likely overwhelm the FDA. As a result, it may take months or even years for medical devices with cybersecurity vulnerabilities to be removed.

The good news is that your organization doesn’t have to stay a sitting duck waiting for a recall. Take preventative action with Device Events. Our software leverages data analytics and natural language processing technology to make information on problem devices easily accessible to our customers. This in turn improves health outcomes and patient safety while reducing risk for your organization. If you’re curious to learn about how our software can help your unique organization, contact us today.