New Legislation Considered for Improving Medical Device Cybersecurity

A bipartisan bill has been proposed to update the Federal Food, Drug, and Cosmetic Act (FD&C Act) to extend user-fee programs to cover medical devices and ensure that medical device manufacturers make their devices cybersecure.

The FD&C Act was passed in 1938 and gave the U.S. Food and Drug Administration the authority to oversee the safety of food, drugs, medical devices, and cosmetics. In 1992, the Prescription Drug User Fee Act was introduced, allowing the FDA to collect fees from drug manufacturers to fund the approval process for new drugs. The bill, H.R.7667, was introduced by Rep. Anna Eshoo, (D-CA), and was co-sponsored by Reps. Brett Guthrie, (R-KY), Frank Pallone, (D-NJ), and Cathy McMorris Rogers, (R-WA), will extend the user-fee programs for generic drugs, prescription drugs, medical devices, and biosimilar biological products.

In recent years, concern has been growing about the threat of cyberattacks on medical devices. These devices are often networked, which means a cyberattack on a medical device could provide threat actors with easy access to healthcare networks for conducting follow-on attacks, such as ransomware attacks, which can threaten patient safety. Vulnerabilities in medical devices could also be exploited to alter the functionality of the devices, which could result in patients being harmed.

The FDA has issued guidance for medical device manufacturers on cybersecurity, but currently, they are only recommendations and are not legally binding. H.R.7667 is the latest of several bills that have been proposed recently that seek to address medical device cybersecurity to ensure manufacturers of the devices apply cybersecurity controls and processes covering the entire lifespan of the devices.

The bill states, “For purposes of ensuring cybersecurity throughout the lifecycle of a cyber device, any person who submits a premarket submission for the cyber device shall include such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate to demonstrate a reasonable assurance of safety and effectiveness.”

Medical device manufacturers will be required to design, develop, and maintain processes and procedures to ensure their medical devices, and related systems, are secure and protected against cyber threats. They will be required to make updates available for their devices and associated systems for the entire lifecycle of their products. Manufacturers will need to regularly assess the security of their devices and ensure that the labeling of the devices includes a software bill of materials (SBOM). The SBOM must list all software components used in the devices, including open source, commercial, and off-the-shelf software components. Manufacturers of medical devices will need to demonstrate the safety and effectiveness of their devices for the purposes of cybersecurity in order to receive approval from the FDA.  The bill has now been referred to the House Committee on Energy and Commerce.

Similar requirements for medical device manufacturers have recently been proposed in the Protecting and Transforming Cyber Health Care (PATCH) Act to improve medical device cybersecurity. The PATCH Act also calls for an SBOM to be included along with other cybersecurity requirements to secure the devices throughout their lifecycle, and for those security requirements to be assessed at the premarket stage as part of the FDA approval process.