Blog
← Back to Blog
June 20, 2022 medical

FDA Now Requires Cybersecurity for Medical Devices. What It Means for Your Practice.

FDA cybersecurity requirements for medical devices

The FDA has significantly strengthened its cybersecurity requirements for medical device manufacturers. New guidance requires manufacturers to address cybersecurity throughout the product lifecycle: during design, during market authorization, and post-market through updates and vulnerability management.

This matters for your practice because the devices in your operatories, exam rooms, and labs are connected to your network. And many of them have been historically insecure.

What's Changing

Secure by Design

Manufacturers must now demonstrate that cybersecurity was considered during device design. This includes: authentication mechanisms, encryption for data in transit and at rest, software update capabilities, and vulnerability testing.

Software Bill of Materials (SBOM)

Manufacturers must provide an SBOM listing all software components in their devices, including open-source libraries. This is a direct response to vulnerabilities like Log4Shell, where organizations couldn't determine if their devices were affected because they didn't know what software was inside them.

Post-Market Updates

Manufacturers must have a plan for addressing vulnerabilities discovered after the device is on the market. This means firmware updates, security patches, and communication about known vulnerabilities.

What This Means for Your Practice

Better Devices Are Coming

New medical devices will be more secure than previous generations. Authentication, encryption, and update capabilities will be standard rather than optional.

Legacy Devices Remain a Risk

Devices already in your practice aren't affected by the new requirements. Your existing X-ray sensor, CBCT machine, or patient monitor may still run outdated software with no update mechanism. These devices remain a risk until they're replaced.

Ask Your Vendors

When evaluating new medical device purchases, ask:

  1. Does this device receive regular firmware/software updates?
  2. What authentication does it use? Can default credentials be changed?
  3. Does it encrypt data in transit and at rest?
  4. What is the expected security support lifecycle?
  5. Can you provide the Software Bill of Materials?
  6. How are vulnerabilities reported and addressed?

Network Segmentation Remains Critical

Whether your devices are old or new, they should be on a separate network segment from your EHR/PMS server and workstations. Segmentation protects your critical systems even if a device is compromised.

The Broader Trend

The FDA's action is part of a broader trend across all regulated industries: manufacturers and vendors are being held accountable for the security of their products. SBOMs are becoming standard. Secure-by-design is becoming a requirement, not a marketing claim.

For practices, this means better tools are coming. In the meantime, segment your network, update what you can, and replace what you can't.