Medical Device Security Provision Now Part of Spending BillSenate Sends Spending Bill to House with Resurrected Medical Device Protections
A resurrected proposal to enhance the cybersecurity of medical devices is nestled within the 4,155-page, $1.7 trillion omnibus spending bill that the Senate passed Thursday and sent to the House for approval.
On page 3,537, a provision of the omnibus spending bill would empower the Department of Health and Human Services to require medical device makers to meet certain cybersecurity requirements in their new product submissions to the Food and Drug Administration.
Under the spending bill, which would keep the U.S. government funded through the current fiscal year ending Sept. 30, 2023, HHS would require device makers to submit product applications to the FDA for market approval to:
- Design, develop and maintain processes and procedures to provide a reasonable assurance that the device and related systems are secure.
- Submit a plan to monitor, identify and address in their products' postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
- Make available postmarket updates and patches to the device and related systems to mitigate vulnerabilities.
- Provide a software bill of materials, including commercial, open-source and off-the-shelf software components.
No later than 180 days after the legislation is enacted, the bill calls for the FDA to issue updated premarket cybersecurity medical device guidance for FDA staff and the device industry.
The bill also calls for the Government Accountability Office to publish a report "identifying challenges in cybersecurity for devices, including legacy devices that may not support certain software security updates" within one year of enactment.
If the medical device cybersecurity provisions contained in Congress' latest proposed spending bill sound familiar, they are.
Provisions in the spending bill came from yet another piece of legislation proposed earlier this year - the Protecting and Transforming Cyber Health Care Act - dubbed the PATCH Act - sponsored by Reps. Michael Burgess, a Texas Republican, and Angie Craig, a Minnesota Democrat (see: Bill Requires Medical Device Makers to Enhance Cybersecurity).
The bipartisan PATCH Act legislation aimed to protect medical device security by making FDA review of key cybersecurity design and maintenance processes required, rather than merely optional or recommended, says Kevin Fu, a professor and director of the Archimedes Center for Healthcare and Device Security at the University of Michigan.
"Cybersecurity is patient safety, and both healthcare delivery organizations and leading medical device manufacturers support this legislation," says Fu, who earlier this year completed a temporary stint as medical device cybersecurity adviser to the FDA.
If the medical device provisions of the omnibus bill get the green light and are signed into law, "the legislation is significant because required, built-in cybersecurity will enable innovation of high confidence on medical devices," Fu says.
"I also foresee a future of medical devices that provides patients with more open access to their own health data while simultaneously ensuring high availability, authenticity and integrity of therapies and diagnostics," he adds.
Requiring manufacturers to submit SBOMs and coordinated vulnerability disclosure plans for FDA review is hugely important for protecting medical devices, especially legacy devices, from endemic cybersecurity threats, Fu says. "Requiring plans for cybersecurity software patches is a huge leap forward from the status quo to protect medical devices," he says.
"This legislation paves the way for innovation of new therapies and diagnostics for telemedicine, cardiac implants, robotic surgery, neuromodulation, AI-powered medical devices and more that would be hard to imagine without built-in, independently verifiable cybersecurity."
Axel Wirth, chief security strategist at security firm MedCrypt, offers a similar assessment. "What we have seen across our customer base of medical device manufacturers are notable efforts to design more secure devices and to develop processes to manage devices’ security posture. However, I think a government-imposed deadline was needed for the industry to make this final and coordinated push to get this over the finish line," he says.
Nonetheless, similar medical device proposals have been contained in other pieces of previous legislation, only to be among provisions that got cut in the end.
For instance, similar medical device cybersecurity proposals were cut from the FDA User Fee Reauthorization Act of 2022, which was signed into law in September as part of the larger Continuing Appropriations and Ukraine Supplemental Appropriations Act of 2023. That bill renewed the FDA's reauthorization through September 2027 to collect fees from the healthcare sector for independent review of new drugs and medical devices.
The House in June approved an earlier version of the FDA user fee reauthorization bill. Like the current omnibus spending bill being negotiated in Congress, it required medical device manufacturers to monitor and address postmarket cybersecurity vulnerabilities.
That bill also told manufacturers to ensure that medical devices can receive patches and required them to label devices with a software bill of materials (see: FDA Authorization Bill Drops Medical Device Cybersecurity).
Also in June, bipartisan legislation, the Strengthening Cybersecurity for Medical Devices Act, was introduced in the House, requiring the FDA to review and update premarket medical device cybersecurity guidance every two years. That bill, sponsored by Sens. Jacky Rosen, D-Nev., and Todd Young, R-Ind., was referred to the Committee on Health, Education, Labor and Pensions, but lost traction as a stand-alone bill (see: Bill Calls for Frequent FDA Device Cyber Guidance Updates).
Some of the proposals in the latest omnibus bill also overlap with certain efforts already underway at the FDA. For instance, the FDA in April issued draft guidance providing updated and detailed recommendations for how medical device makers should address cybersecurity risk in the premarket stage of their products.
That draft guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, covers a wide range of cybersecurity device design, labeling and documentation issues - including details about threat modeling, security controls and software bills of materials - that the FDA recommends be addressed by manufacturers in their premarket submissions to the agency.
The FDA is currently reviewing public comment received on the draft recommendations before moving ahead with issuing final guidance.
"Passing of the omnibus bill would certainly accelerate any government efforts on cybersecurity - within and outside of FDA - and will not only assure timely release of a final premarket guidance, but also will make sure that it has teeth and can be acted on," Wirth says.