New Legislation Considered for Improving Medical Device Cybersecurity

A bipartisan bill has been proposed to update the Federal Food, Drug, and Cosmetic Act (FD&C Act) to extend user-fee programs to cover medical devices and ensure that medical device manufacturers make their devices cybersecure.

The FD&C Act was passed in 1938 and gave the U.S. Food and Drug Administration the authority to oversee the safety of food, drugs, medical devices, and cosmetics. In 1992, the Prescription Drug User Fee Act was introduced, allowing the FDA to collect fees from drug manufacturers to fund the approval process for new drugs. The bill, H.R.7667, was introduced by Rep. Anna Eshoo, (D-CA), and was co-sponsored by Reps. Brett Guthrie, (R-KY), Frank Pallone, (D-NJ), and Cathy McMorris Rogers, (R-WA), will extend the user-fee programs for generic drugs, prescription drugs, medical devices, and biosimilar biological products.

In recent years, concern has been growing about the threat of cyberattacks on medical devices. These devices are often networked, which means a cyberattack on a medical device could provide threat actors with easy access to healthcare networks for conducting follow-on attacks, such as ransomware attacks, which can threaten patient safety. Vulnerabilities in medical devices could also be exploited to alter the functionality of the devices, which could result in patients being harmed.

The FDA has issued guidance for medical device manufacturers on cybersecurity, but currently, they are only recommendations and are not legally binding. H.R.7667 is the latest of several bills that have been proposed recently that seek to address medical device cybersecurity to ensure manufacturers of the devices apply cybersecurity controls and processes covering the entire lifespan of the devices.

The bill states, “For purposes of ensuring cybersecurity throughout the lifecycle of a cyber device, any person who submits a premarket submission for the cyber device shall include such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate to demonstrate a reasonable assurance of safety and effectiveness.”

Medical device manufacturers will be required to design, develop, and maintain processes and procedures to ensure their medical devices, and related systems, are secure and protected against cyber threats. They will be required to make updates available for their devices and associated systems for the entire lifecycle of their products. Manufacturers will need to regularly assess the security of their devices and ensure that the labeling of the devices includes a software bill of materials (SBOM). The SBOM must list all software components used in the devices, including open source, commercial, and off-the-shelf software components. Manufacturers of medical devices will need to demonstrate the safety and effectiveness of their devices for the purposes of cybersecurity in order to receive approval from the FDA.  The bill has now been referred to the House Committee on Energy and Commerce.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Similar requirements for medical device manufacturers have recently been proposed in the Protecting and Transforming Cyber Health Care (PATCH) Act to improve medical device cybersecurity. The PATCH Act also calls for an SBOM to be included along with other cybersecurity requirements to secure the devices throughout their lifecycle, and for those security requirements to be assessed at the premarket stage as part of the FDA approval process.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/