wordpress blog stats
Connect with us

Hi, what are you looking for?

Summary: New US Bill Obliges FDA to Release Up-To-Date Cybersecurity Guidelines for Medical Devices

The bill seeks updated guidelines to protect medical devices from cyberattacks, reducing risks to patient safety in the process.

A new bill introduced in the US Senate on May 26th proposes timely updating of cybersecurity guidelines for medical devices and related public resources, and a Comptroller General (the chief accounting officer of the US Government) audit of the support provided and improvements needed in federal agencies to ensure cybersecurity. Titled the ‘Strengthening Cyber-security of Medical Devices Act’ (SCMDA), it was introduced by Senators Jacky Rosen and Todd Young. It has since been referred to the Senate Committee on Health, Education, Labor, and Pensions.

“Medical devices are increasingly connected to the Internet or other health care facility networks to provide features that improve the ability of health care providers to treat patients. Our bill helps ensure medical devices are protected from cyberattacks and used safely and securely in order to reduce risks and vulnerabilities for patients,” Senator Young said in a press release after the introduction of the bill. 

The security and integrity of medical devices is an issue increasingly discussed by lawmakers in other countries. In November 2021, Sajid Javid, former UK Health Secretary, ordered a review of claims of racial bias in medical devices. Weeks before the SCMDA was introduced, the US Senate Committee on Health, Education, Labor, and Pensions heard testimony from a cybersecurity expert on the cybersecurity vulnerabilities of medical devices.

Why it matters: The state of security of medical devices in India gains significance in light of the government’s health digitisation project, the Ayushman Bharat Digital Mission (ABDM), which would also feature “IoT and other devices like wearables”. Further, in India, 80% of sales from medical devices are currently generated from imports. In March, the Department of Pharmaceuticals (DoP) released the draft Medical Devices Policy 2022 with the aim to bolster India’s share in the world medical device market. However, the policy made no mention of any cybersecurity standards or safeguards. The development may prove resourceful for policymakers looking at the regulation of medical devices.

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.

Provisions Made for Cybersecurity in the Bill

Advertisement. Scroll to continue reading.

i) Reviewing guidelines for cybersecurity of medical devices

  • The bill obliges the Secretary of the US Department of Health and Human Services (HHS) to review and update the medical device cybersecurity guidelines—called the ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’—every two years.
  • These would guide the industry and staff of the Food and Drug Administration (FDA) on the cybersecurity of medical devices. The FDA, an agency under the Department of Health and Human Services, regulates medical devices in the US and has been responsible for issuing cybersecurity guidelines. However, according to The Verge, there are no obligations laid out presently for the FDA to publish periodic recommendations on how medical device makers should secure their devices.
  • The bill says the update and review of cybersecurity guidelines should be undertaken in consultation with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and consider comments from ‘medical device manufacturers, health care providers, and patient advocates.’. The CISA is the agency in charge of ensuring cyber as well as physical security for US infrastructure.
  • The HHS Secretary’s updates to the guidelines could be made to specific provisions, that is, they would not require the release of an entirely new set of guidelines, the bill says. The first update should be completed two years after the bill is enacted.

ii) Issuing information for improving cybersecurity in medical devices

Apart from specialised guidance, the bill also lays down obligations with regards to public resources made available by the FDA on cybersecurity in medical devices.

  • 180-day or 6-month updates should be made by the HHS Secretary on such information;
  • Resources should contain information for health care providers (such as doctors, nurses), healthcare systems, and medical device manufacturers on identifying and addressing vulnerabilities. It should also mention how these entities can obtain support from the CISA, HHS, and other government agencies for cybersecurity.

iii) Comptroller General to release audit report in a year after Act is enforced

Lastly, the bill lays down that the Comptroller General will publish a report on challenges in ensuring the cybersecurity of medical devices. It specifically asks for such a report to also examine the following:

  • “Challenges for medical device manufacturers, health care providers, health systems, and patients in accessing Federal support to address vulnerabilities across Federal agencies; and
  • How Federal agencies can strengthen coordination to better support cybersecurity for medical devices.”

How Do Medical Devices Fit In with ABDM?

Under the ABDM, medical devices are planned to be used as a data source for a citizen’s Electronic Health Records (EHR). The ABDM’s 2018 strategy paper said that it plans to allow citizens to add readings from “IoT and other devices like wearables” to their PHR. These readings could then be accessed by doctors when users share their electronic health records with them, during medical consultations.

During pilot projects held in Uttarakhand, Bihar, and Pune, the health records of multiple individuals were digitised and stored. They were provided smartwatches for sharing this data with Health Information Users, such as hospitals or doctors. It is expected that these projects will later be integrated with the ABDM.

Further, the NHA has also proposed the creation of a Drug Registry as part of the ABDM. The Drug Registry is proposed to be an all-in-one database for drugs in the country. At a recent consultation meeting, stakeholders asked that medical devices also be included in the Drug Registry, since they are included in the definition of drugs under the Drugs and Cosmetics Act, 1940. The stakeholders said that the inclusion of medical devices in the registry could finally lead to the creation of a comprehensive list of such devices manufactured or sold in India, especially since the use of such devices has increased due to the COVID-19 pandemic.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Advertisement. Scroll to continue reading.

Also read:

  • What’s missing in India’s Draft Medical Devices Policy?
  • AI to be deployed through ABDM, RS Sharma reveals in post-budget webinar
  • What India should do to improve cybersecurity in Healthcare — Ambassador Latha Reddy
Written By

I cover health technology for MediaNama but, really, love all things tech policy. Always willing to chat with a reader! Reach me at anushka@medianama.com

Free Reads


The Commission received complaints against ULLU by the group ‘Gems of Bollywood’,  for sharing “extremely obscene and objectionable content secretively to its subscribers, including...


This case highlights a curious intersection of copyright and critique in the digital content world.


Google will also provide news organizations and fact checkers with essential training in advanced fact-checking methodologies, deepfake detection, and Google tools like the Fact...

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...


Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ