The US Food and Drug Administration (FDA) staff has published new guidelines to strengthen the cybersecurity levels of internet-connected products used by hospitals and healthcare providers.
According to a guidance document published earlier today, applicants seeking approval for new medical devices must submit a plan designed to “monitor, identify and address” possible cybersecurity issues associated with them.
Further, applicants will also need to outline a process to provide “reasonable assurance” that the device in question is protected with regular security updates and patches, including for critical situations.
Finally, they will be expected to provide the FDA with “a software bill of materials,” which should include commercial, open-source and off-the-shelf software components.
The FDA guidelines provide information regarding the definition of “cyber device,” intended as a device that includes software validated, installed or authorized by the sponsor as a device or in a device, that can be connected to the internet and contains technological characteristics that could be vulnerable to cybersecurity threats.
The guidance document is part of the $1.7 trillion federal omnibus spending bill President Joe Biden signed in December 2022. The legislation also requires the FDA to update its medical device cybersecurity guidance at least every two years.
The new FDA guidelines come a couple of months after security experts at Sonar found three vulnerabilities in OpenEMR, an open-source software for electronic health records and medical practice management.
More recently, the infamous Russia-affiliated hacktivist group known as KillNet was observed targeting healthcare applications hosted using the Microsoft Azure infrastructure.
Given the considerable efforts threat actors put into targeting the healthcare industry, the FDA’s new requirements could save lives. This is particularly true when considering a September 2022 report by Proofpoint’s Ponemon Institute that linked increased mortality rates to cyber-attacks targeting healthcare organizations.