Bill Calls for Frequent FDA Device Cyber Guidance UpdatesProposals Are Latest Ones Focused on Improving Medical Device Cybersecurity
Congress is pondering a proposal requiring the Food and Drug Administration to regularly update cybersecurity guidance amid a flurry of legislative activity surrounding the safeguarding of medical devices from digital threats.
The FDA currently issues medical device cybersecurity guidance on a timeline of its own discretion. A bipartisan proposal, the Strengthening Cybersecurity for Medical Devices Act, would require the agency to review and update premarket medical device cybersecurity guidance every two years. The bill is sponsored by Sens. Jacky Rosen, D-Nev., and Todd Young, R-Ind.
The FDA is in the middle of collecting public comment on updated draft guidance for premarket medical device cybersecurity, and comments are due by July 7 (see: FDA Document Details Cyber Expectations for Devices).
The proposal from Rosen and Young proposal is the latest in Congress to address medical device cybersecurity.
Rosen is also a co-sponsor of the Healthcare Cybersecurity Act, legislation she introduced in March along with Sen. Bill Cassidy, R-La., that mandates tighter collaboration between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency. The goal is to boost healthcare and public health sector digital defenses (see: Bill Touts CISA, HHS Teamwork to Aid Health Sector Security).
The medical device legislation from Rosen and Young proposes a similar provision in language directing the FDA to work with CISA when updating medical device cybersecurity guidelines.
House Advances Medical Device Cybersecurity Provisions
In May, the House of Representatives passed H.R. 7667, the Food and Drug Amendments of 2022, which contains a slew of medical device cybersecurity provisions (see: Congress Mulls Another Medical Device Cybersecurity Bill).
Among them is a requirement that medical device manufacturers patch unacceptable and critical vulnerabilities and have a plan to address exploitable bugs through coordinated disclosures.
The cybersecurity provisions of the House legislation are a small part of annual legislation reauthorizing the FDA's user fee programs for medical devices and prescription drugs. Manufacturers pay users fees when submitting product review applications to the agency.
The Senate Health, Energy, Labor and Pensions Committee voted last week to advance S. 4348, its version of the FDA user fee reauthorization bill, but that legislation does not contain medical device cybersecurity provisions.
Other Recent Proposals
The Rosen-Young legislation is among several other recent bills containing medical device cybersecurity proposals.
Those include a bipartisan bill introduced in the House and Senate in April dubbed Protecting and Transforming Cyber Health Care Act (see: Bill Requires Medical Device Makers to Enhance Cybersecurity).
The PATCH Act proposes amending the FDA's governing statute by granting it authority to require manufacturers to implement cybersecurity requirements when the makers apply to the agency for premarket approval.
Kevin Fu, director of the Archimedes Center for Healthcare and Device Security at the University of Michigan, who recently completed a stint as FDA acting director of medical device security, tells ISMG that he appreciates what's proposed in the Rosen-Young bill.
"I hear from many patients who want appropriate security built into their medical devices, and this bill emphasizes the importance of keeping medical devices cybersecure," he says.
Reviewing FDA guidance internally every couple of years sounds appropriate - but when guidance is designed well, it will also age well, even as the threat landscape evolves, he adds.
"That's why long-lasting guidance will focus on fundamental concepts and principles rather than specific technologies or threats that can change quickly. Threat modeling and a systems approach to security is key for premarket guidance, in my opinion," he says.
Former healthcare CIO David Finn says the Rosen-Young proposals would help address cybersecurity issues in newer medical equipment, but the bigger security problems lies with millions of legacy medical devices that are still in use.
"There is no easy way of resolving that," says Finn, who is vice president of the education and networking associations within the College of Healthcare Information Management Executives, a healthcare CIO and CISO professional organization. A directive in the bill for the Government Accountability Agency to study the matter could at least "drive some focus and attention on the scope and scale of that issue," he says.