The Omnibus Appropriations Act Grants FDA Formal Authority to Require Cybersecurity Action by Medical Device Manufacturers

Cyberattacks affecting internet-connected medical devices like insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps have increased in recent years. And such attacks show no sign of slowing, as the number and type of medical device products that are connected to the cloud increase (thereby increasing the attack surface for hackers), and as hackers become more sophisticated. Indeed, in a September 2022 FBI Private Industry Notification, the FBI noted that around 53% of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities. These vulnerabilities could allow hackers to direct medical devices to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.

In the past, the U.S. Food & Drug Administration (FDA) has urged manufacturers to take measures to ensure the cybersecurity of their products through non-binding guidance. On December 29, 2022, President Biden signed into law the $1.7 trillion Omnibus Appropriations Act, which provided the FDA with authority to require manufacturers to take cybersecurity protection measures as to medical devices that are brought to market through future pre-market submissions. See H.R. 2617 (117th Congress, 2021-2022), text available here.