FDA on Medical Device Cybersecurity: Looking for More Power

One thing we've heard repeatedly from medical CISOs at our regional cybersecurity conferences is that the FDA needs to require medical device manufacturers to follow security best practices. And right from the start of the product lifecycle.

This week, the FDA announced it is looking for more power to do just that.

The agency has a full plate already. It regulates over 190,000 different devices, which are manufactured by more than 18,000 firms in more than 21,000 facilities worldwide.

Now, finally, medical IoT security is stepping into the limelight as part of the agency's new Medical Device Safety Action Plan.

The agency says it will consider potential new pre-market authorities to require firms, on the front end, to enact two key initiatives:

• Build capability to update and patch device security into a product’s design and to provide appropriate data regarding this capability to FDA as part of the device’s pre-market submission.
• Develop a "Software Bill of Materials” that must be provided to FDA as part of a pre-market submission and made available to medical device customers and users, so that they can better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities.

In a world where everything from insulin pumps to implanted pacemakers are connected, the ability to mitigate cyber risks quickly could ensure these devices only do what they are supposed to—save lives.