Hidden in this year’s federal spending bill, among major changes to Medicare payments to doctors and post-pandemic Medicaid, lies a little-noticed change with big implications: a mandate to protect medical devices connected to the internet from hacks or ransomware attacks.
The law, which goes into effect Wednesday, explicitly states that companies cannot sell their connected medical devices without first showing the Food and Drug Administration a solid cybersecurity plan. It also gives the FDA $5 million to see a higher security standard through. Historically, the agency has lacked the resources to keep up with rapidly-evolving security threats, or the authority to force device makers to comply with its draft guidelines.
“FDA is not going to have to argue with people anymore,” said Naomi Schwartz, a senior director at cybersecurity consulting company Medcrypt and former reviewer at the FDA. “It’s going to increase the scrutiny.”
This article is exclusive to STAT+ subscribers
Unlock this article — and get additional analysis of the technologies disrupting health care — by subscribing to STAT+.
Already have an account? Log in
Already have an account? Log in
About the Author Reprints
To submit a correction request, please visit our Contact Us page.
STAT encourages you to share your voice. We welcome your commentary, criticism, and expertise on our subscriber-only platform, STAT+ Connect