New Medical Device Law-Will it Help?
Dr. Suzanne Schwartz of the Food and Drug Administration, says the new cybersecurity requirements for medical devices in the $1.7 trillion spending bill Biden recently signed is a game changer.
Up until now, if the manufacturer patched a device, or it a hospital patched the operating system of one of these devices, the device was no longer approved for use.
Under this new law, manufacturers, when they submit their product for certification, must prove to the FDA that the device can be updated and patched, as well as explain their security controls and testing. They also have to provide the FDA a software bill of materials (SBoM) for commercial, open source and off the shelf software components.
While this only applies to new devices, it is a start. Up until now, the FDA could only ask manufacturers politely to do these things. Now they can say “if you want to get your device approved and be able to sell it, do this”. That is a big difference, even if it is not perfect.
Hospitals can, of course, once this starts moving through the pipeline, say that only devices that followed this new protocol need to bother responding to our RFP. Since the hospitals are the ones that will get sued if the devices get hacked, they might be very motivated to do this. That is likely far more effective – and likely to happen – than Congress passing more laws. Congress only gave the FDA $5 million to implement this, but I am not sure how complex it is to build this process.
Let’s see what happens. Credit: Data Breach Today