3rd Party Risk Management
Critical Infrastructure Security
Bipartisan Legislation Seeks to Let FDA Demand Cyber Details From Manufacturers
This article has been updated with a statement from the Food and Drug Administration.
See Also: Third Party Risk: Lessons on Log4j
Bipartisan bills introduced into the U.S. Senate and House of Representatives aim to strengthen healthcare sector infrastructure by requiring medical device manufacturers to implement certain critical cybersecurity measures for the regulatory premarket approval process and life cycle of their products.
Sens. Bill Cassidy, R-La., and Tammy Baldwin, D-Wisc., on Thursday introduced into the Senate the Protecting and Transforming Cyber Health Care – or PATCH – Act, which contains the medical device proposals.
Also, Rep. Michael Burgess, R-Texas, and Rep. Angie Craig, D-Minn., introduced companion legislation into the House on March 29.
Both the Senate and House versions of the PATCH Act contain the same proposals.
“In recent years, we’ve seen a significant increase in cyberattacks that have exposed vulnerabilities in our healthcare infrastructure, impacting patients across Wisconsin and the country. We must take these lessons learned to better protect patients,” Baldwin says in a joint statement with Cassidy.
“New medical technologies have incredible potential to improve health and quality of life. If Americans cannot rely on their personal information being protected, this potential will never be met,” Cassidy, who is a physician, says in the statement.
Cassidy is also the co-sponsor of another Senate bill, the Healthcare Cybersecurity Act of 2022, introduced in March with Sen. Jacky Rosen, D-Nev., which proposes closer collaboration between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, also with the goal of strengthening cybersecurity in the health and public health sectors (see: Bill Touts CISA, HHS Teamwork to Aid Health Sector Security).
PATCH Act Proposals
Among its proposals, the PATCH Act, if signed into law, would amend the Federal Food, Drug, and Cosmetic Act so that the Food and Drug Administration may require manufacturers to implement certain cybersecurity requirements when the makers apply to the FDA for premarket approval of their devices.
The PATCH Act would also:
- Require manufacturers to design, develop and maintain processes and procedures to update and patch medical devices and related systems throughout the life cycle of the device;
- Establish a software bill of materials for the device – including components such as commercial, open-sourced and off-the-shelf software – that will be submitted to the FDA and provided to users;
- Require the development of a plan by the device manufacturer to monitor, identify and address postmarket cybersecurity vulnerabilities;
- Request a coordinated vulnerability disclosure to demonstrate safety and effectiveness of a device.
Some experts say that while some medical device makers are already taking many of the steps being proposed by the legislation to enhance the cybersecurity of their products, others are not.
“Many manufacturers are already very proactive, with thought leaders in many working groups,” says Michael Holt, president and CEO of healthcare security firm Virta Labs. “However, some laggard makers need to improve cyber hygiene.”
But if signed into law, the legislation also could potentially create other challenges for some device makers, he says. “The argument is that in developing newer devices and technologies, this could slow life-saving innovation by increasing the required resources for cybersecurity and thus time to market.
“Many startups don’t even know where to begin with implementing cybersecurity. The amount of unpatched devices in use is unbelievable and would require significant human resources to perform updates,” Holt says.
Currently, the FDA’s cybersecurity guidance for the premarket and postmarket of medical devices are considered “nonbinding” recommendations for manufacturers.
The FDA in 2018 issued a draft to update its cybersecurity guidance for the premarket of medical devices, which had been issued in 2014.
That 2018 draft proposed that medical device makers provide a “cybersecurity bill of materials” for their products. But the FDA has not yet finalized that updated guidance. FDA officials say that the regulators plan to release a revised draft guidance, but a specific timeline has not been announced.
Also, the FDA in December 2016 released final postmarket guidance for how medical device manufacturers should help maintain the cybersecurity of network-connected devices once they are in use.
For its part, the FDA is encouraged to see congressional interest in legislative proposals relating to cybersecurity of medical devices, Dr. Suzanne Schwartz, director of the FDA’s Office of Strategic Partnerships & Technology Innovation, Center for Devices and Radiological Health, tells Information Security Media Group.
“In 2018, the FDA’s Medical Device Safety Action Plan indicated that we were considering seeking additional authorities for medical device cybersecurity,” she says. “We believe that the legislation proposed in the PATCH Act tracks closely with the additional authorities we have outlined.”
Most recently, the FDA submitted a legislative proposal in accordance with the Office of Management and Budget proposing new requirements on medical device manufacturers to address the safety and effectiveness of devices through cybersecurity measures that span the total product life cycle, she says.
Schwartz also says the FDA plans to publish a revised draft guidance related to premarket medical device cybersecurity in the “near future.”
As a device manufacturer’s software bill of materials, that is akin to an “ingredients list” and integral to further protecting medical devices against cyber intrusions, exploits or attacks, irrespective of intent, i.e., whether deliberate or a spillover, opportunistic effect, Schwartz says.
“Owners and/or operators of devices or systems, such as healthcare delivery organizations, cannot adequately protect against compromise resulting from a cyber event unless there is knowledge of what software component parts reside within the devices and on systems and networks that contain vulnerabilities,” she says.
Schwartz says SBOMs are a critical tool for risk assessment and asset management, adding: “Transparency around software components, as achieved via SBOM, would enable proactive medical device vulnerability management. Ultimately, this advances the cyber posture of the healthcare ecosystem.”
The PATCH Act “will implement cybersecurity protocols and procedures for manufacturers applying for premarket approval through the FDA to ensure that users are properly equipped to deal with foreign or domestic ransomware attacks. It is time to examine how to modernize and protect our healthcare infrastructure,” Burgess says in a joint statement with co-sponsor Craig about the House legislation.
Bad actors have increasingly relied on cybersecurity vulnerabilities to take advantage of unsuspecting individuals and undermine national security, according to the statement. “That trend is especially alarming when it comes to personal medical devices, which can be exploited by cybercriminals – threatening the health and well-being of countless Americans,” Craig says.
Some industry experts say the PATCH bill’s intent to help improve medical device cybersecurity is an important aim.
“This is a good idea, although it is regrettable that it requires legislation,” says former healthcare CIO David Finn, vice president of the education and networking associations within the College of Healthcare Information Management Executives, a healthcare CISO professional organization.
“The FDA should require this. Voluntary action has not driven improvement – except to identify that there are more problems than we even knew about,” he says.
Finn says promising medical technologies cannot succeed if patients and providers cannot rely on them to be safe from attack, which means the devices must be operable and available during an attack or outage, and sensitive patient information stored on them must be protected.
“During and post-COVID-19, remote care, remote monitoring took on a new urgency and in some cases criticality. It will be more important than ever to keep patients safe by ensuring that devices are built and deployed using privacy and security by design.”
Work in Progress
The Healthcare Supply Chain Association, an industry group, says it is pleased to see that the proposed PATCH Act legislation incorporates provisions that are “generally consistent” with recent guidance the group issued regarding cybersecurity recommendations for medical devices and services (see: Why SBOMs in Healthcare Supply Chain Are Critical).
“As information technology, software and medical devices play an increasingly important role in healthcare, it is more critical than ever to ensure that cybersecurity threats do not jeopardize patient health, safety and privacy,” Todd Ebert, HSCA president and CEO, tells ISMG.
He says, “Although we take a cautious approach to additional regulatory burdens for healthcare supply chain participants, the proposed legislation is indicative of the broad bipartisan support for improved cybersecurity and could help clarify cybersecurity requirements for manufacturers of medical devices.”
Greg Garcia, executive director of cybersecurity at the Health Sector Coordinating Council, says the PATCH Act’s proposals are “everything the health sector has been working toward with FDA and between health delivery organizations and medical device manufacturers.”
For example, the HSCC and its working groups also have been striving to help the industry tackle some of the challenges involving medical device cybersecurity, according to Grant.
“Our published model contract language and continued work on model vulnerability communications and legacy medical device cybersecurity management, all address the provisions of the bill, and support use of software bills of material.” (see: Template Aims to Help Add Cyber in Medical Device Contracts).
“Patient safety requires cyber safety,” Garcia says.