Congress Mulls Another Medical Device Cybersecurity BillFDA User Fee Legislation Proposes Device Maker Security Mandates
Medical device cybersecurity is again getting attention from Congress, with yet another bill proposing to require manufacturers to address product life cycle cybersecurity concerns in their premarket submissions to the Food and Drug Administration.
The latest proposals are contained in a bipartisan House of Representatives bill - H.R. 7667, Food and Drug Amendments of 2022 - introduced on Friday by Rep. Anna Eshoo, D-Calif., and co-sponsored by Reps. Brett Guthrie, R-Ky.; Frank Pallone, D-N.J.; and Cathy McMorris Rogers, R-Wash.
The bill, which has been referred to the House Committee on Energy and Commerce, seeks to amend the Federal Food, Drug, and Cosmetic Act to revise and extend the FDA's user fee programs for medical devices, prescription drugs, generic drugs and biosimilar biological products. Manufacturers pay users fees when submitting applications to the FDA for product review.
Among the user fee bill's extensive provisions, however, are proposals that medical device manufacturers, as part of their premarket submission to the FDA, meet a list of minimum requirements to ensure the cybersecurity of their products throughout the devices' life cycles.
Proposed Cyber Requirements
Among the user fee bill's proposals, medical device manufacturers would be required to have a plan "to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures."
The bill also proposes that makers "design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure, and make available updates and patches to the cyber device and related systems throughout the life cycle."
Also, manufacturers would be required to provide in the device labeling and a software bill of materials including commercial, open-source and off-the-shelf software components.
The user fee legislation's medical device cybersecurity proposals are also similar to provisions contained in two identical bipartisan bills introduced into the House and Senate in recent weeks as the Protecting and Transforming Cyber Health Care, or PATCH, Act (see: Bill Requires Medical Device Makers to Enhance Cybersecurity).
The PATCH Act also proposes amending the Federal Food, Drug, and Cosmetic Act so that the FDA has the statutory authority to require manufacturers to implement cybersecurity requirements when the makers apply to the agency for premarket approval of their devices.
Currently, FDA guidance documents for medical device makers concerning the cybersecurity of the premarket and postmarket products are considered "non-binding."
For its part, the FDA last month issued updated draft guidance that includes a comprehensive and detailed list of proposed cybersecurity considerations and actions that medical device makers are recommended to take to address and document for their premarket submissions to the FDA.
Many of the FDA's draft guidance proposals are also similar to medical device cybersecurity provisions contained in the proposed PATCH Act and the Food and Drug Amendments of 2022 legislation.
Time for Change?
Some experts say that Congress appears to be responding to a spotlight that has been intensifying on medical device cybersecurity issues for a while. "Medical device cybersecurity has been a well-known vulnerability for several years," says regulatory attorney Jason Johnson, a partner with law firm Moses & Singer LLP.
"The healthcare sector in particular has been a highly targeted area over the last several years. With an expected increase in cybersecurity attacks from Russia due to the Ukrainian conflict, this is a significant gap that Congress would like to close to start addressing some of the various cybersecurity vulnerabilities facing many different technology and business sectors in the U.S.," he says.
Several factors are driving the attention on medical device cybersecurity, says privacy and security attorney Brad Rostolsky of the law firm Reed Smith. "Two things are happening at once - cybersecurity issues continue to become more prevalent and devastating to both individuals and businesses," he says.
And at the same time, "the healthcare industry continues to develop and amplify the ability for patients/consumers - and their healthcare providers - to better and more efficiently engage with the healthcare system through technology, devices and mobile applications," he says.
The FDA in its proposed fiscal 2023 budget congressional justification document also recently included legislative proposals concerning medical device cybersecurity.
The FDA, in that document to Congress this spring, said that the agency currently has no statutory authority to require medical device manufacturers to address cybersecurity. "Specifically, FDA seeks to have express authority to require that premarket submissions to FDA include evidence demonstrating reasonable assurance of the device's safety and effectiveness for purposes of cybersecurity," the document says.
The spate of recent federal legislation is a positive development as it will potentially codify many of the FDA-proposed regulations, giving the FDA and other federal agencies greater power over implementation and enforcement, Johnson says. "This also gives the FDA explicit authority around cybersecurity and medical devices, which are not currently directly tied together."
Attention to Details
Regulatory attorney Michael Borgia of the law firm Davis Wright Tremaine says lawmakers are beginning to understand the potential harm for medical devices. "The epidemic of ransomware has, in particular, highlighted that harm. A cyberattack that renders medical devices inoperable easily could mean serious physical harm or death," he says.
While the attention by Congress on medical device cybersecurity is important, "the devil is really in the details," Borgia says.
"In general, I see an appreciation within the industry for the need for certain cybersecurity standards for medical devices. But these are high-tech devices, and they change quickly."
As the features and operations of the devices change, so too may the appropriate controls and mechanisms for securing them, he adds. "It’s vital that any mandatory cybersecurity rules for medical devices be written in a way that gives manufacturers and developers considerable leeway in designing security appropriate to that device, its uses, and the risks it might pose if compromised."
The FDA declined Information Security Media Group's request for comment on the proposals contained in H.R. 7667, Food and Drug Amendments of 2022 legislation.