In March 2023 the FDA issued : “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems"
A medical device is classified as a “cyber device”, meaning that it needs security, if it:
- Has software
- Has a network interface (or a USB interface)
- Could be adversely affected by a cyber-attack
For pre-market submissions , medical devices manufacturers must:
- Have a process that considers security from the start
- Make sure devices are secure, including testing
- Provide a software bill of materials
- Submit a plan to monitor and address post market cybersecurity vulnerabilities.
- Support a software update process for in field devices to address identified vulnerabilities.