In the 4,100-page sprawling $1.7 trillion omnibus bill released Tuesday by House and Senate appropriations committees, section 3,305 paves the way for substantial enhancements to medical device cybersecurity. It also represents legislative acknowledgement that patient safety can hinge on the security of connected medical devices, and any operational disruption could bring life-threatening delays to patient care.
Once passed, the relevant provisions in the bill would require vendors submitting medical devices for approval to the Food and Drug Administration (FDA) to meet a number of cybersecurity requirements. Foremost, those requirements focus on concrete processes for addressing post-market vulnerabilities on regular timetables as well as out-of-band fixes for critical bugs. The bill also spells out the need for transparency with regard to the software components used in a medical device in order to better address cybersecurity issues.
Given the increasing use of software in connected medical devices, the cybersecurity provisions included in this year’s omnibus represent a critical step forward in ensuring patient safety. Even well-constructed code can contain highly impactful vulnerabilities that can impact the ability of software to function properly, and with the highly prolific use of third-party and open source software, medical device manufacturers may not even be aware of exploits that can impact patient care.
The provisions in the omnibus bill—part of the Protecting and Transforming Cyber Health Care (PATCH) Act—lay out important guidance to ensure device manufacturers are ready, willing, and able to identify and respond to post-market vulnerabilities in their products within 90 days.
Another provision would require device vendors to provide to the FDA a software bill of materials (SBOM) that specifies all commercial, open source, and off-the-shelf software components used in a device. Through this SBOM requirement, vendors are further compelled to determine if problems exist in the third-party components they leverage in software construction. Medical device manufacturers can no longer turn a blind eye to the risks posed to patients by security risks in the software they use.
The legislation even takes a step further by updating the guidance on Premarket Submissions of Medical Devices, after soliciting feedback with a variety of stakeholders in industry and CISA. This ensures the guidance has kept up with the changing nature of the security concerns of digital technology.
With increasing connectivity and threats, this legislation gives healthcare delivery organizations (HDOs) confidence and certainty in the security of the medical devices they rely on, which requires transparency. Providing SBOMs, supports greater transparency of data submitted by the device manufacturers.
The $1.7 trillion omnibus bill, which is expected to fund the government through next September, goes before the Senate for approval, then the House. Both bodies are expected to approve the bill before government funding runs out on Friday.
405(d) Task Group Updates HICP Document for Healthcare, Medical Device Cybersecurity
Medical Device Cybersecurity: HHS 405(d) Best Practices Update
Beyond Data Breaches: ‘Cybersecurity is Patient Safety’