Skip to Main Content

Hidden in this year’s federal spending bill, among major changes to Medicare payments to doctors and post-pandemic Medicaid, lies a little-noticed change with big implications: a mandate to protect medical devices connected to the internet from hacks or ransomware attacks.

The law, which goes into effect Wednesday, explicitly states that companies cannot sell their connected medical devices without first showing the Food and Drug Administration a solid cybersecurity plan. It also gives the FDA $5 million to see a higher security standard through. Historically, the agency has lacked the resources to keep up with rapidly-evolving security threats, or the authority to force device makers to comply with its draft guidelines.


“FDA is not going to have to argue with people anymore,” said Naomi Schwartz, a senior director at cybersecurity consulting company Medcrypt and former reviewer at the FDA. “It’s going to increase the scrutiny.”

Unlock this article by subscribing to STAT+ and enjoy your first 30 days free!


Create a display name to comment

This name will appear with your comment

There was an error saving your display name. Please check and try again.