Medical device companies now need to prove to FDA they’re protected against cyberattacks

Hidden in this year’s federal spending bill, among major changes to Medicare payments to doctors and post-pandemic Medicaid, lies a little-noticed change with big implications: a mandate to protect medical devices connected to the internet from hacks or ransomware attacks.

The law, which goes into effect Wednesday, explicitly states that companies cannot sell their connected medical devices without first showing the Food and Drug Administration a solid cybersecurity plan. It also gives the FDA $5 million to see a higher security standard through. Historically, the agency has lacked the resources to keep up with rapidly-evolving security threats, or the authority to force device makers to comply with its draft guidelines.

“FDA is not going to have to argue with people anymore,” said Naomi Schwartz, a senior director at cybersecurity consulting company Medcrypt and former reviewer at the FDA. “It’s going to increase the scrutiny.”

STAT+ Exclusive Story

Already have an account? Log in

This article is exclusive to STAT+ subscribers

Unlock this article — and get additional analysis of the technologies disrupting health care — by subscribing to STAT+.

Already have an account? Log in

Individual plans

Group plans

Monthly

$39

Totals $468 per year

$39/month Get Started

Totals $468 per year

Starter

$30

for 3 months, then $399/year

$30 for 3 months Get Started

Then $399/year

Annual

$399

Save 15%

$399/year Get Started

Save 15%

11+ Users

Custom

Savings start at 25%!

Request A Quote Request A Quote

Savings start at 25%!

2-10 Users

$300

Annually per user

$300/year Get Started

$300 Annually per user

View All Plans

To read the rest of this story subscribe to STAT+.

Subscribe

Log In