Medical Device Makers Face Increased Cybersecurity Standards From the FDA

A new law from the U.S. Food and Drug Administration will require medical device makers to meet cybersecurity requirements in order to gain regulatory clearance for devices.

The new prerequisites are part of the Consolidated Appropriates Act, 2023 and mandate that medical devices submitted for regulatory approval must provide information on four core cybersecurity requirements.

The requirements are detailed in the Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act guidance and outlined below:

  • Submit to the Secretary a plan to monitor, identify and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
  • Design, develop and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure. Make available post-market updates and patches to the device and related systems to address, on a reasonably justified regular cycle, known unacceptable vulnerabilities; and, as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.
  • Provide to the Secretary a software bill of materials, including commercial, open-source and off-the-shelf software components.
  • Comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

In addition, the bill requires the FDA to work with the U.S. Cybersecurity and Infrastructure Security Agency to update existing cybersecurity guidance on medical devices every two years and commit to updating online resources focused on cybersecurity in healthcare, at first within six months of the bill, then at least annually after.

The law comes into effect as concerns over cybersecurity in the healthcare sector are at a fever pitch due to increasing cyber-attacks. A recent report linked a 20% increase in mortality rates to cyber-attacks targeting healthcare organizations.

Additionally, a 2022 FBI report that found 53% of digital and internet-accessible medical devices had known critical vulnerabilities. According to the report, these devices included insulin pumps, intracardiac defibrillators, mobile cardiac telemetry and pacemakers.

While there is a wave of initial skepticism from the healthcare industry due to previous attempts from the FDA to shore up cybersecurity, many industry experts see this law as real change for the for the medical device market, since medical device manufacturers can be blocked from the market for failing to meet the requirements.

The FDA has announced that medical device makers will have a 6-month grace period before they start enforcing the new rule on October 1, 2023.

However, there is still a lot of uncertainty on how the FDA will enforce the new rule on existing devices in the wild – something that will certainly be a hot topic post October 1st.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at

 To learn more, visit our dedicated Cybersecurity page.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
How LinkedIn and a Phone Call Led to the Massive MGM Ransomware Attack
Top 5 Identity Fraud Schemes of 2023
Identity Theft vs. Identity Fraud – What’s the Difference?
Ransomware Attack Shuts Down Emergency Rooms Across Four States
MOVEit Data Breach: The Impact on Higher Education
SEC Adopts New Cybersecurity Rule for Public Companies
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.