We are proud to be named a West Coast Regional Leader for 2024

FDA launches new cybersecurity requirements for medical devices

ARTICLE | June 23, 2023

Authored by RSM US LLP

As medical device technology has become more advanced and connectivity between a growing number of systems and tools throughout medical facilities and organizations has increased, potential cybersecurity gaps and vulnerabilities have also emerged. With threat actors no longer primarily seeking financial information and credit card data and instead looking to breach systems with vast amounts of personal data like hospitals and health systems possess, connected medical devices are under more scrutiny from regulators.

The federal government, for example, recently amended medical device requirements by integrating a new Ensuring Cybersecurity of Devices section to the Federal Food, Drug, and Cosmetic Act. The new guidance helps ensure that products entering the market are more secure, thereby decreasing the likelihood of a security incident stemming from manufactured devices. In addition, the guidelines promote continuous monitoring of the software bill of materials (SBOM) for the timely resolution of higher-risk vulnerabilities.

How new guidelines affect device manufacturers and health care providers

The security requirements apply to manufacturers of cyber devices, including those for medical use, that file for Food and Drug Administration (FDA) approval after March 29, 2023, including 510(k), premarket approval application, Product Development Protocol, De Novo or Humanitarian Device Exemption applicants. While the cybersecurity requirements do not apply to an application or submission to the FDA before March 29, any manufacturer’s change to a previously authorized device that warrants premarket FDA review requires adherence to the new standard.

Although the Ensuring Cybersecurity of Devices requirements is already in place, any FDA submissions prior to Oct. 1, 2023, will not inherently be issued as refuse to accept (RTA). Instead, the FDA will likely work with manufacturers as part of the review process to resolve any potential deficiencies associated with the new requirements and help get them across the compliance finish line. However, that implies that after Oct. 1, manufacturers will likely have to demonstrate requirements adherence through documentation submission or likely face an RTA condition without the collaboration referred to above.

Even if devices are grandfathered into a previous standard, manufacturers should consider bringing them into compliance with new guidelines to generate more confidence in security measures. In addition, while healthcare providers and systems are not held accountable by the new requirements, they may want to evaluate current devices and consider upgrading systems and applications to help ensure that effective protections are in place to help avoid cyberattacks. They can also mitigate potential risks by segregating outdated devices to their own network until they can determine a long-term solution. 

These new guidelines promote a considerable new amount of awareness and responsibility for device manufacturers, with new demands from development to testing, to sustaining the SBOM throughout the device’s life cycle.

Developing an effective compliance approach

What steps should manufacturers and health systems take to help confirm that devices are secure and adhere to the new Ensuring Cybersecurity of Devices guidelines? Both parties should start by creating a documented plan to continuously monitor devices to identify and remediate post-market vulnerabilities. In addition, manufacturers and providers should establish processes and procedures to support the plan to provide assurance that devices are secure and emerging vulnerabilities can be remediated in a timely manner.

Manufacturers must ensure they can produce the SBOM to the FDA, including commercial (e.g., off-the-shelf) and open-source software components. Further, they must demonstrate compliance with future requirements through FDA regulation for additional assurance that devices are secure.

Healthcare organizations should pay close attention when planning device purchases. Just because a hospital or provider makes a device purchase after March 29, 2023, those devices may be grandfathered into the older guidelines and not subject to the new FDA cybersecurity guidelines.

It is important for providers to perform necessary due diligence to ensure expectations are met.

Moving forward, healthcare providers should integrate an additional testing step before the procurement phase to ensure devices are FDA-ready. This step should confirm that purchased devices are secure and a line of communication should be established with the manufacturer to address any potential future security concerns.

The risks of noncompliance will continue for quite some time, so maintaining contact with manufacturers will be critical for providers.

"When health care systems make purchases, they should work with the manufacturers to reduce risks, whether they segregate older devices to their own network or actually apply patches because most of the older devices may have inherent risks associated, but many providers may not know what to do with the medical devices."

Paul Fountain, RSM US LLP director

Getting the right advice

The considerable advances in medical device technology have increased efficiency, insight, and the quality of patient care. However, the increased connectivity in an extremely expansive number of devices has also created more potential for cybersecurity vulnerabilities. With increased FDA oversight, both manufacturers and healthcare providers need to adapt processes to ensure devices are in line with new security expectations.

RSM’s experienced consultants can advise device manufacturers and healthcare providers on how to align with the new Ensuring Cybersecurity of Devices guidelines. For example, our team can provide targeted penetration testing of cyber devices prior to FDA filing, SBOM documentation, process design for both pre-and post-market continuous vulnerability identification and remediation, and managed vulnerability management program vulnerability (e.g., periodic and defined vulnerability scanning).

Contact our team to learn how we can work with you to develop an FDA-compliant approach to medical device development, production, and maintenance.

Let's Talk!

Call us at +1 213.873.1700, email us at or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by RSM US LLP and originally appeared on Jun 23, 2023.
2022 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

​Vasquez & Company LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how ​Vasquez & Company LLP can assist you, please call +1 213.873.1700.

Subscribe to receive important updates from our Insights and Resources.

  • Should be Empty: