New laws passed by the US government which came into effect on 29 March 2023 gives U.S. Food and Drug Administration (FDA) authorisation to require cybersecurity adjustments in submitted medical devices. The requirement will take effect 90 days from the law being passed, giving vendors until October 1, 2023, to prepare submissions meeting the new standards.
In its newly issued guidance for cyber devices, the FDA have said they intend not to issue ‘refuse to accept’ (RTA) decisions for cybersecurity shortcomings to vendors who submitted before this deadline. The agency plans to work collaboratively with sponsors as part of the review process to meet the new laws passed in the Consolidated Appropriations Act, 2023 by the US Senate.
By October this year, the FDA expects submissions to meet the new requirements, citing sponsors will have had sufficient time to prepare their premarket submissions. For submissions that do not tick the cybersecurity boxes, the FDA will duly issue RTAs.
Cybersecurity is becoming a more pertinent concern as more medical devices become connected to the internet, healthcare systems, and other digital devices. As connectivity and digital integration become an increasingly common feature in medical devices, security risks increase too. Data breaches are one of the main concerns – medical health records, insurance details and payment information could all be leaked.
Remote patient monitoring devices has become a highly scrutinised area due to their use by patients themselves inside home settings where digital security might be weaker.
According to GlobalData, between 2020 and 2025, cybersecurity in medical devices is forecast to grow at a CAGR of 7.3% from $869mn to $1.23bn. Inextricably linked will be the money spent by healthcare providers and payors to ensure digital safety too – this will grow slightly faster at a rate of 8.1%, from $4.59bn to $6.77bn.