FDA can now reject new medical devices over cyber standards
Under the law, manufacturers must design and release updates and patches after a product goes to market, provide a software bill of materials, and submit a plan for identifying and addressing “postmarket cybersecurity vulnerabilities.” The rules impact devices that have software and are connected to the internet, for example insulin pumps, blood sugar monitors, and certain pacemakers.
This is a welcome development! I usually don’t track the medical devices sector (which has more sundry items used in hospitals), but as we move towards “Internet of Everything” (IoE) via 6G, this will assume immense significance.
6G is more exciting than 5G, because 5G is only an incremental improvement over existing standards. There have been clarion calls that telecom companies should partner with the “start-ups”, but that divests itself from their core business – to provide telecom solutions for the masses. Besides, with the private provisioning through 5G, they are more keen to preserve their turf for enterprises. Telecom companies can’t metamorphose to technology companies. In addition, you hardly see significant investments in the “research and development”, but they end up importing most of the equipment.
With this background, it is clear they will need a significant upshot (and investments) in “allied domains” – as technology companies invest in perpetual software updates and undergo mandatory testing around specific software delivered to hardware through cryptographic signatures, and ensuring no tampering has been done.
A little more context:
The focus on device manufacturers is in line with a new government focus on accountability for software makers and industry for defects in products, rather than on users — a point of emphasis of the recently released National Cybersecurity Strategy.
Great legislation and rules! Brilliant idea!