FDA user-fee legislation carves out baseline for medical device cybersecurity

Legislation proposes cybersecurity requirements for medical device manufacturers. Pictured: The U.S. Capitol Dome is seen on Nov. 18, 2021, in Washington. (Photo by Anna Moneymaker/Getty Images)

A newly introduced Food and Drug Administration user-fee program legislation includes a host of cybersecurity requirements for medical device manufacturers that would require developers come up with processes to identify and address security threats and vulnerabilities.

Introduced by Health Subcommittee Chairwoman Rep. Anna G. Eshoo, D-Calif., on behalf of Rep. Brett Guthrie, R-Ky., the Food and Drug Amendments of 2022 bill targets user-fees, supply chain, and clinical trial diversity. The House Energy and Commerce Committee unveiled the bill on May 4, which is scheduled for markup by the Health Subcommittee this week.

Although the comprehensive package is designed to reauthorize FDA user-fee agreements, targeting lower costs, supporting innovation, and improving generic drug competition, the bill also seeks to bolster transparency, program integrity, and regulatory improvements that could improve transparency and ensure cybersecurity throughout the medical device lifecycle.

Namely, it would require any manufacturer issuing a premarket submission of a cyber device to include information relevant to ensuring the device meets cybersecurity requirements, deemed “appropriate to demonstrate a reasonable assurance of safety and effectiveness” by the secretary of Health and Human Services.

The bill proposes a number of minimum requirements for device manufacturers, which includes a plan to effectively monitor, identify and address post-market cybersecurity vulnerabilities and exploits within a reasonable timeframe through coordinated vulnerability disclosure and procedures.

Manufacturers would also be required to develop processes to ensure the device and its related systems are “cybersecure,” along with making updates and patches available to users throughout the lifecycle of the device to address “known unacceptable vulnerabilities” on a justified, regular schedule.

The bill would also require manufacturers to disclose flaws impacting out-of-cycle devices that could cause uncontrolled risks. The added requirement could feasibly address a longstanding challenge in medical device security, where often healthcare security leaders lack visibility into whether enterprise devices hold known vulnerabilities.

If passed as written, manufacturers would also be required to comply with other elements mandated by the HHS secretary “to demonstrate reasonable assurance of the safety and effectiveness of the device for purposes of cybersecurity.” 

For example, if the secretary finds “cybersecurity information for the cyber device described in the relevant premarket submission in the cyber device’s use environment is inadequate.”

Lastly, the proposed legislation includes a requirement for manufacturers to provide a software bill of materials in the device label, including commercial, open-source, and off-the-shelf software components.

A bipartisan bill introduced in early April included similar SBOM requirements, as a means to modernize and protect overall U.S. infrastructure and bolster new medical tech. The PATCH Act targeted needed resources to improve operational security practices for both new and legacy devices.

SBOMs are machine-readable metadata that identifies software packages and contents, copyrights, and license data to provide transparency into device components, as devices often rely on third-party materials for support.

Linux data shows the healthcare sector is leading the charge on SBOM adoption and could provide an adoption model for other industries. The inclusion of SBOM requirements in the latest proposed legislation would further support greater adoption and medical devices security in healthcare.

The legislation language explains the secretary may identify devices or device types exempt from the outlined cybersecurity requirements and regulations, noting that updates may be published in the Federal Register.

In addition to the medical device security elements, the legislative package is more keenly focused on user fees and would reauthorize the Prescription Drug User Fee Act, the Generic Drug User Fee Act, the Biosimilar User Fee Act, and the Medical Device User Fee Act.

The committee is looking to finalize the bill in the coming weeks, including a vote in the Health Subcommittee this week. The congressional members noted the hope is to advance the bill out of the committee “soon” to be able to send a final bill to the president’s desk before August.