Getty Images

FDA Bill Includes Medical Device Security Requirements For Manufacturers

New FDA user fee legislation would require manufacturers to meet certain medical device security requirements as part of their premarket submission.

Recently introduced Food and Drug Administration (FDA) user fee legislation contains medical device security provisions that aim to quell cybersecurity concerns at the premarket stage. The bipartisan House of Representatives bill (H.R.7667) seeks to amend the Federal Food, Drug, and Cosmetic Act.

Specifically, the bill aims to extend the user-fee programs for generic drugs, prescription drugs, medical devices, and biosimilar biological products. Among the bill’s extensive proposed amendments, spanning everything from animal testing provisions to factory inspection updates, legislators emphasized the importance of medical device security at the manufacturing stage.

“For purposes of ensuring cybersecurity throughout the lifecycle of a cyber device, any person who submits a premarket submission for the cyber device shall include such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate to demonstrate a reasonable assurance of safety and effectiveness,” the bill stated.

Manufacturers would be required to “design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure, and shall make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device.”

The bill put additional responsibility on medical device manufacturers to regularly assess vulnerabilities and provide a software bill of materials (SBOM) containing information about open-source, commercial, and off-the-shelf software components. If the Secretary finds that the cybersecurity information provided in the premarket submission is inadequate, they may issue a non-substantial equivalence determination.

In March, US Senators introduced the Protecting and Transforming Cyber Health Care (PATCH) Act, also with the intention of ensuring medical device security at the premarket stage.

The PATCH Act would enable the implementation of critical cybersecurity requirements for medical device manufacturers applying for premarket approval through the Food and Drug Administration (FDA). The act would also require manufacturers to design, develop, and maintain updates and patches throughout the lifecycle of their devices. Similarly, the PATCH Act stressed the need for SBOMs in ensuring medical device security.

In April, the FDA issued a request for feedback on its medical device security guidance surrounding premarket submission cybersecurity considerations. The FDA initially released its final guidance regarding premarket expectations in 2014 and additional drafted guidance in 2018. However, the administration explained, the rapidly changing threat landscape “necessitates an updated approach.”

The guidance cited growing concerns surrounding medical device security, including the increasing number of connected devices and a cyberattack’s ability to disrupt patient care.

Also in April, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) released its “MedTech Vulnerability Communications Toolkit,” building upon the FDA’s best practices guide for communicating medical device vulnerabilities to patients and caregivers.

HSCC’s toolkit provided specific tools for medical device manufacturers and software developers to create cybersecurity vulnerability communications for their products.

New industry tools and legislation show that the healthcare sector is increasingly prioritizing medical device security.

Next Steps

Dig Deeper on Cybersecurity strategies