A bill recently introduced in the U.S. House of Representatives aims to address gaps in medical device cybersecurity.
Details of Proposed Law to Address Medical Device Cybersecurity
H.R. 7667 seeks to amend the Federal Food, Drug, and Cosmetic Act to revise and extend the user-fee programs for prescription drugs, medical devices, generic drugs, biosimilar biological products, and other purposes.
One of those other purposes would require medical device manufacturers to meet specific minimum standards for cybersecurity.
The bill would require device manufacturers to do the following:
- Develop a plan to appropriately monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits in a reasonable time, including coordinated vulnerability disclosure and procedures.”
- Design, develop, and maintain processes and procedures to ensure the device and related systems are cyber-secure, including making updates and patches available to the cyber device and related systems throughout the lifecycle of the cyber device.
- Provide a cyber device software bill of materials in the labeling that states all commercial, open-source, and off-the-shelf software components that have been used in the devices.
- Comply with other requirements, including demonstrating a reasonable assurance of the safety and effectiveness of the device for cybersecurity purposes.
Other Proposed Laws to Address Medical Device Cybersecurity
Unlike most other measures being considered on Capitol Hill, the bill appears to have bi-partisan support with co-sponsors from both sides of the aisle. A similar bill has been introduced in the Senate that also has bipartisan support.
The PATCH Act would require all premarket submissions for medical devices to include details of the cybersecurity protections that have been implemented.
Federal Agency Guidelines to Address Medical Device Cybersecurity
Unless there is action at the federal level, consumers will have to rely upon cybersecurity guidance from the Food and Drug Administration issued for medical device manufacturers.
The Health and Cybersecurity Working Group has developed a “MedTech Vulnerability Communications Toolkit” based upon the FDA’s best practices guide for communicating medical device vulnerabilities to patients and caregivers.
While the guidelines and toolkits are beneficial, they lack the power of law to require medical device manufacturers to follow the recommendations.
