Medical Device Cybersecurity Industry Update June 2022

Senators push for more frequent medical device cybersecurity guidance from FDA 

In April 2022, Nova Leah reported on how the FDA had published an overhauled draft guidance on medical device cybersecurity for submitting a premarket submission. We then provided a 3-part series that went through what this new guidance would mean for medical device manufacturers and the healthcare industry. 

With this new guidance, what was most interesting to note was the length of time it took to update and modernize previous guidance. When finalized, this guidance will supersede Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Final Guidance, October 2, 2014. This means that the premarket guidance hasn’t been updated in almost eight years. This is a long time coming, especially in the current climate where the threat landscape is growing more and more sophisticated each year and connected medical devices are becoming ever more prominent. 

This pace of change has been put under the microscope of late. After years of devastating cybersecurity breaches and warnings from cybersecurity experts about the vulnerabilities of medical devices, congress is finally stepping in to make sure medical device cybersecurity guidelines are updated more frequently.

New Bill Calls on FDA to Regularly Update Medical Device Security Guidelines 

Bipartisan legislation introduced by Senators Jacky Rosen (D-NV) and Todd Young (R-IN) at the start of June, calls on the US Food and Drug Administration (FDA) to review and update its medical device security guidelines more frequently. This is of great significance for those in the medical device industry as it means that guidelines need to be reviewed and adhered to on an ongoing basis. 

The bill also calls on the FDA to share information about vulnerable devices on its website. This information should include guidance on identifying and addressing medical device security vulnerabilities and how providers, health systems, and medical device manufacturers can effectively get support from CISA, HHS, and other government entities.

In a press release published at the time, Senator Rosen gave an insight into the rationale behind the bill. 

In light of increased cyber threats, we must strengthen the security of our healthcare system’s cyber-infrastructure. This bipartisan bill that I have introduced with Senator Young will ensure that medical devices and technologies are up to date with the latest cybersecurity, protecting patients and health care systems.” 

The bipartisan Strengthening Cybersecurity for Medical Devices Act requires FDA, in consultation with the Cybersecurity and Infrastructure Security Agency (CISA), to review guidance for industry and FDA staff regarding medical device cybersecurity and make updates as appropriate at least every two years. This provision ensures a timelier reviewing schedule to keep guidance more current. 

Healthcare organizations often maintain thousands of medical devices. Persistent struggles with securing medical devices, as well the industry’s reliance on legacy systems, has prompted legislative action. This landmark move should go a long way towards securing the future of the medical device industry and making sure that the healthcare industry is safer and more secure for patients and healthcare providers. 

PATCH Act to Ensure Medical Device Security 

Added to that, US Senators Bill Cassidy and Tammy Baldwin introduced the Protecting and Transforming Cyber Health Care (PATCH) Act. The PATCH Act was created with the specific intention of enhancing medical device security at the premarket stage.  

Within the bill itself it states that the act was brought in to “amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.” 

The PATCH Act introduces a series of requirements for medical device and network security. These requirements are imposed on medical device manufacturers who are applying for premarket approval through the FDA. The PATCH Act enables manufacturers to design, develop and maintain processes and procedures to update and patch medical devices and related systems throughout the product lifecycle. The act advocates the use of a software bill of materials (SBOM) as a means to strengthen cybersecurity. If put into place, the act would also require the development of plans to monitor, identify and address post-market cybersecurity vulnerabilities.  

Safety and effectiveness of a medical device is further reinforced by requesting a coordinated vulnerability disclosure (CVD). This is a process in which those that find vulnerabilities collaborate with one another and share insights with relevant stakeholders. This process affords medical device manufacturers the opportunity to diagnose and implement corrective measures before detailed information about a vulnerability is disclosed to the public and may be exploited.   

These legislative changes will no doubt transform how medical device manufacturers secure their devices. It will also change the way in which federal agencies assist healthcare operators in undertaking medical device security going forward. 

For medical device manufacturers and healthcare operators, one of the ways that you can ensure compliance throughout the product life cycle is through integrating with an expert cybersecurity risk assessment platform such as SelectEvidence.  

Talk to one of our team today about how you can use SelectEvidence to comply with legislative changes and manage cybersecurity risk more effectively. The regulatory environment is going through some dramatic changes and SelectEvidence can ensure that you and your organization stay in line with it.