Share this article on:
A new bill has been introduced that seeks to address the cybersecurity of medical devices that will require manufacturers of medical devices to meet certain minimum standards for cybersecurity for the entire lifecycle of the products.
The medical device cybersecurity provisions of the bill – H.R. 7667 Food and Drug Amendments of 2022 – call for device manufacturers to “have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures,” and to “design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure.”
The processes and procedures should include making “updates and patches available to the cyber device and related systems throughout the lifecycle of the cyber device.” Those patches and updates are required on a reasonably justified regular cycle to address known vulnerabilities, and, as soon as possible out of cycle, to address critical vulnerabilities that could cause uncontrolled risks.
The bill also calls for manufacturers of medical devices to provide a cyber device software bill of materials in the labeling that states all commercial, open-source, and off-the-shelf software components that have been used in the devices, and manufacturers will need to comply with other requirements that may be introduced, such as being able to “demonstrate reasonable assurance of the safety and effectiveness of the device for purposes of cybersecurity.”
H.R. 7667 was proposed by Rep. Anna Eshoo, (D-CA), and was co-sponsored by Reps. Brett Guthrie, (R-KY), Frank Pallone, (D-NJ), and Cathy McMorris Rogers, (R-WA), and has now been referred to the House Committee on Energy and Commerce. The bill would amend the Federal Food, Drug, and Cosmetic Act and extend the FDA user fee programs, which require manufacturers to pay fees when submitting applications to the FDA for product reviews. The amendments would extend the fee program to cover medical devices, prescription drugs, generic drugs, and other similar biological products.
Several bills have been introduced recently that seek to improve the cybersecurity of medical devices such as the PATCH Act, which was introduced by U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) in March 2022. The PATCH Act also seeks to amend the Federal Food, Drug, and Cosmetic Act and requires all premarket submissions for medical devices to include details of the cybersecurity protections that have been implemented.
There is a clear need for changes to be made to current legislation to require medical device manufacturers to address cyber risks. The security of medical devices has attracted considerable attention of late due to the risk of vulnerabilities being exploited by cyber actors to gain access to healthcare networks, conduct denial-of-service attacks, and deliberately or inadvertently cause harm to patients.
While the FDA has published updated guidance for medical device manufacturers that includes recommendations for improving cybersecurity throughout the entire lifecycle of medical devices, they are only recommendations and are therefore non-binding.