Contact us
Medical device cybersecurity
FDA cybersecurity
Back to Insights


FDA cybersecurity guidance: New law all SaMD manufacturers must follow

Share this article

May 31, 2023

5 min read

samd series | author

Weronika Michaluk

Digital Health Principal
SaMD Lead at HTD Health

On March 29, 2023, the Food and Drug Administration (FDA) announced that it will require medical device manufacturers to comply with FDA cybersecurity guidance. Securing vulnerabilities has been top of mind for health executives and regulators alike. These new FDA guidelines aim to alleviate fears of hacking and ransomware attacks. Risk reduction is crucial in a world of increasing internet-connected devices in the healthcare industry.

The FDA has faced criticism over the years for not doing enough to protect medical devices from being hacked. A 2018 report from the US Department of Health and Human Services’ Office of the Inspector General found that the FDA’s plans and processes for addressing medical device cybersecurity compromises were deficient.

Get the latest news about Software for Medical Devices from our experts.

Newsletter terms

Rising demand for medical device security

In 2021, a group of researchers investigating software used in medical devices and machinery used in other industries found over a dozen vulnerabilities that, if exploited by a hacker, could cause critical equipment such as patient monitors to crash.

The FBI released a report in 2022, which found that 53% of digital medical devices and other internet-connected products used in hospitals had known critical vulnerabilities. The report also highlighted specific medical devices that are susceptible to cyberattacks, such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, and pacemakers. The FBI report stated that “malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.”

President Joe Biden signed an extensive federal omnibus bill in December 2022, totalling $1.7 trillion, to counteract rising medical device cybersecurity concerns represented in these reports. As part of the bill, the FDA must update its medical device cybersecurity guidance at least every two years.

FDA cybersecurity new guidance release

According to the new FDA guidance issued in late March 2023, all new medical device applicants will be required to submit a plan on how to “monitor, identify, and address” cybersecurity issues. These plans will require a provision of reasonable assurance that a device is protected against cyber threats. Additionally, applicants will need to make security updates and patches available on a regular schedule, provide the FDA with a software bill of materials, and include in documentation any open-source or other software their devices use.

The FDA cybersecurity guidance aims to address these concerns and improve the cybersecurity of medical devices. By requiring medical device manufacturers to create a plan to monitor, identify, and address cybersecurity issues, the FDA hopes to provide reasonable assurance that the devices are protected against cyber threats.

The requirement for security updates and patches to be made available on a regular schedule and in critical situations aims to ensure that any vulnerabilities that are discovered can be addressed promptly. By providing the FDA with a software bill of materials, medical device manufacturers can ensure that any open-source or other software their devices use is secure.

However, it remains to be seen how effective these new guidelines will be in practice. Cyber threats are constantly evolving, and medical device manufacturers will need to stay vigilant to ensure that their devices remain secure. Additionally, it is important to note that the new guidelines only apply to new medical devices. Many existing devices may still be vulnerable to cyber threats, and it is up to healthcare providers to ensure that they are protected.

In conclusion, the new regulations for medical device cybersecurity are a positive step towards improving the security of internet-connected devices used in healthcare. By requiring medical device manufacturers to create a plan to monitor, identify, and address cybersecurity issues, the FDA aims to provide reasonable assurance that these devices are protected against cyber threats. However, it is important to note that the guidelines only apply to new devices, and existing devices may still be vulnerable to cyber threats.

If you would like to learn more about medical device software development and medical device cybersecurity or how to ensure that you comply with new FDA guidance, schedule your free consultation with the HTD.

Weronika is a Digital Health Principal and SaMD Lead at HTD. She holds a Master's degree in International Business from the University of Miami, an MBA from the Warsaw School of Management, and a Doctorate in Public Health (DPH) with a specific focus on the business strategy of Software as a Medical Device (SaMD).

Other content you may be interested in

View all articles

Aug 10, 2023

8 min read


Understanding FDA software guidance for AI medical devices

Read more
documentation for compliant software

Sep 17, 2020

6 min read


How does FDA documentation fit into agile development?

Read more

Jul 05, 2024


Sprint to success: Enhancing productivity with Agile methodologies in Med Tech

Read more