U.S. Cyber Trust Mark Agrees to Archimedes Recommendations to Exclude Medical Devices

February 23, 2024
by Kevin Fu

The FCC plans to exclude medical devices from its proposed U.S. Cyber Trust Mark program. This is a huge win to improve medical device security. The Archimedes Center for Health Care and Medical Device Cybersecurity has been hard at work supporting medical device manufacturers and health care providers to ensure that the required pre-market cybersecurity engineering and post-market management of medical device cybersecurity meets FDA expectations and federal law. This activity is important so that patients can expect safe, effective, secure, and highly available health care delivery.

Industry Update: Cyber Trust Mark Excludes Medical Devices

Archimedes is pleased to see that the FCC has agreed to our recommendations of changes to the proposed U.S. Cyber Trust Mark. The Cyber Trust Mark creates a hugely important program and an early step to improve the cybersecurity of consumer products such as Internet of Things devices (smart thermostats, smart locks, etc.)

The circulated R&O includes an important statement in paragraph 15, “Because medical devices regulated by the U.S. Food and Drug Administration (FDA) already are subject to statutory and regulatory cybersecurity requirements under other federal laws more specifically focused on such devices, we do not include such devices in our IoT Labeling Program.”

Medical device manufacturers and health care delivery organizations can now rest assured that they will not be held to two different standards of cybersecurity. Instead, manufacturers will follow existing FDA regulations to receive clearance or approval of cybersecurity engineering within medical device design.

The medical device community is taking a breath of relief knowing that (1) the already highly regulated medical device space is proposed to be explicitly excluded from the U.S. Cyber Trust Mark program; and (2) stakeholders can continue to follow existing cybersecurity requirements that represent over a decade of community effort.

Read Kevin Fu’s letter to the FCC justifying why to exclude medical devices from the Cyber Trust Mark: https://spqrlab1.github.io/papers/Fu-FCC-cybermark-2023.pdf

Register for Archimedes Before the March 3 Early Bird Deadline!

Want to learn more about medical device cybersecurity and regulations to better prepare for FDA cybersecurity pre-market reviews of your product? Join Dr. Kevin Fu and other experts at the training and Archimedes 101 Workshop at Health Care Security Week in New Orleans April 30-May 2, 2024. Register by March 3, 2024 to receive the early bird discount: https://www.secure-medicine.org/events/2024healthcaresecurityweek