$1.7 Trillion Omnibus Spending Bill a Game Changer for Strengthening Medical Device Supply Chains  

Medical device manufacturers can no longer turn a blind eye to cybersecurity and the growing number of cyber-attacks. That is the message that the medical device community is hearing loud and clear after a new bill was signed into law in December 2022.  

At the end of 2022, US President Joe Biden signed a $1.7 trillion omnibus spending bill that funds the federal government through the end of the currency fiscal year (September 2023). Within this bill (known as the Consolidated Appropriations Act, 2023), the FDA received a total of $3.5 billion in discretionary funding, an increase of $226 million above the 2022 fiscal year enacted level. This funding will go towards addressing medical device supply chain issues and cybersecurity of medical devices amongst a handful of other named objectives. 

Cybersecurity features heavily across funding in many other industries and domains also. This includes: 

                      • $2.9 billion for CISA (Cybersecurity and Infrastructure Security Agency), which is $313.5 million above the fiscal year 2022 enacted level. This funding will go towards further advancing CISA’s cybersecurity operations as well as infrastructure security amongst other things.  
                      • Cybersecurity, Energy Security, and Emergency Response. The bill provides $200 million to go towards efforts to secure the nation’s energy infrastructure against all hazards, reduce the risks of and impacts from cybersecurity events, and assist with restoration activities. 
                      • $100 million for the Cybersecurity Enhancement Account, an increase of $20 million above the fiscal year 2022 enacted level to protect the Department’s critical IT systems against cyber threats. 
                      • Office of National Cyber Director – The bill provides the first annual appropriation of $22 million for the ONCD to support the coordination and implementation of national cybersecurity policy and strategy. 

The Consolidated Appropriations Act, 2023 was passed by Congress on December 23, 2022 and signed into law by President Biden on December 29, 2022. The bill includes long-awaited authorization for the Food and Drug Administration (FDA) to establish cybersecurity requirements for manufacturers of connected medical devices.  

New Authority for FDA To Enforce Cybersecurity Measures 

Since 2014, the FDA has been releasing non-binding guidance and recommendations on the cybersecurity of medical devices. However, this new legislation formally empowers the FDA to ensure that medical devices meet minimum cybersecurity requirements. This move represents a significant milestone in the ongoing quest to strengthen medical device supply chains and the nation’s medical device cybersecurity infrastructure.

Speaking of the bill and what it represents, Dr. Suzanne Schwartz of the FDA had this to say: 

“While we have been urging and encouraging manufacturers in the medical device space to take up cybersecurity of medical devices from a total product lifecycle approach, from initial device stage to end-of-life, we utilized our approach through guidance, which is a non-binding recommendation. 

Although we have said over and over that cybersecurity of medical devices is not optional and not voluntary, until now we’ve never had the power of statute, of actual legislation, requiring manufacturers to address cybersecurity of medical devices. Putting that link between reasonable assurances of safety and effectiveness of medical devices to medical device cybersecurity – that is highly significant for us.”

As Schwartz says the bill has given FDA “explicit authorities and oversight” to “advance the state of the ecosystem for cybersecurity.” Schwartz went on to say that the new authority granted by the bill is “a massive shift, and we’re quite excited about what the future holds in store.”  

What Does the Omnibus Bill Mean for Medical Device Manufacturers? 

The Consolidated Appropriations Act itself is over 4,000 pages long and contains a variety of provisions that impact healthcare, including medical device security requirements for manufacturers. But what does this all mean to medical device manufacturers? What is now required under law? 

1/ Manufacturers Must Provide Significant Evidence of Patchability and Updatability 

Many of the provisions outlined in the Consolidated Appropriations Act align closely with the PATCH Act, which we’ve spoken about in the past at Nova Leah. The PATCH Act introduced a series of requirements for medical device and network security. These requirements were imposed on medical device manufacturers who are applying for premarket approval through the FDA.  

The PATCH Act enables manufacturers to design, develop and maintain processes and procedures to update and patch medical devices and related systems throughout the product lifecycle. The act advocates the use of a software bill of materials (SBOM) as a means to strengthen cybersecurity. If put into place, the act would also require the development of plans to monitor, identify and address post-market cybersecurity vulnerabilities.   

In line with this, under the new law, medical device manufacturers must include sufficient evidence of the device’s ability to be updated and patched and its security controls and testing up front, when making premarket product submissions to FDA. 

According to the bill, when making a premarket submission, medical device manufacturers must: 

                      1. “Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems to address — 
                        • on a reasonably justified regular cycle, known unacceptable vulnerabilities; and 
                        • as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;” 
2/ Medical Devices Must Meet Minimum Cybersecurity Requirements 

Devices that contain software are now required to include certain information in their pre-market submissions. This includes information relating to device security, identification of cybersecurity vulnerabilities and a software bill of materials.  

Section 3305 of the omnibus bill stipulates that, when making a premarket submission, medical device manufacturers must include information which shows that devices meet certain cybersecurity requirements. Specifically, manufacturers must “submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures”. 

As well as this, manufacturers are asked to “comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure”. 

Again, all of this means that medical device manufacturers must prove that their devices are up to a minimum standard in terms of cybersecurity and medical device risk management.  

3/ Software Bill of Materials to Be Required Up Front 

Importantly, the new bill also requires medical device submissions to include an SBOM. Below is what was stated in section 3305 of the omnibus: 

“The sponsor of an application or submission shall provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components;” 

An SBOM provides a list of all software components within a given device. Items listed within an SBOM include libraries, drivers, firmware, licenses, and operating systems. Given the obvious similarities, an SBOM is often depicted as a nutrition label or ‘ingredients list’ for software.  

For many years, FDA has underscored the importance of SBOMs to the entire healthcare ecosystem. The new bill has moved SBOMs from something that is ‘recommended’ to something that is ‘required’ by FDA as part of the premarket submission process.

This, once again, highlights the important role that SBOMs are set to play in the future of medical device security.   

When Do The New Rules Come Into Effect?

The new rules come into effect on March 22nd 2023.

Thereafter, anyone submitting a cyber device to the FDA must:

                    1. Submit to the FDA Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
                    2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address: (a) On a reasonably justified regular cycle, known unacceptable vulnerabilities; and (b) As soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks; and
                    3. Provide to the Secretary of the FDA a software bill of materials, including commercial, open-source, and off-the-shelf software components.
Photo Credit:
Photos by Annie Spratt on Unsplash
Photo by National Cancer Institute on Unsplash