Legislation that focuses on enhancing medical device cybersecurity passes in US House

The U.S. House of Representatives has cleared legislation that puts into place appropriate cybersecurity requirements throughout the lifecycle of a cyber medical device. The bill also requires any manufacturer who submits a premarket submission for the cyber device to the U.S.  Food and Drug Administration (FDA) shall include all details required. The move will help ensure that the cyber medical device cybersecurity requirements are met, as determined to be appropriate to demonstrate a reasonable assurance of safety and effectiveness.

Titled ‘Food and Drug Amendments of 2022,’ the bill was introduced by Congresswoman Anna G. Eshoo, chairwoman of the Energy and Commerce Health Subcommittee, who hailed the House passage of her legislation, H.R. 7667, which among other provisions, reauthorizes the FDA user fee agreements for drugs and medical devices. The legislation works towards ensuring medical device cybersecurity while including key portions of Eshoo’s DEPICT Act, bipartisan legislation to increase diversity in clinical trials.

The provisions of section 808 of the new Act cover medical device cybersecurity, which invokes that the manufacturer of a cyber device shall have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures. 

The legislation also expects manufacturers to design, develop, and maintain processes and procedures that ensure the device and related systems are cyber secure. It shall also make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device to address on a reasonably justified regular cycle, known unacceptable vulnerabilities and as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.

Additionally, the section that covers the medical device cybersecurity within Eshoo’s bill lays down that the manufacturer shall provide in the labeling of the cyber device a software bill of materials (SBOMs) including commercial, open-source, and off-the-shelf software components. The manufacturer shall also comply with such other requirements as the secretary of the FDA may require to demonstrate reasonable assurance of the safety and effectiveness of the device for purposes of cybersecurity, which the secretary may require by an order published in the Federal Register.

For the scope of the Act, the term ‘cyber device’ means a device that includes software, including software as or in a device, has the ability to connect to the internet or contains any such technological characteristics that could be vulnerable to cybersecurity threats.

“With a bipartisan vote today, the House passed my legislation to allow the FDA to collect user fees to fulfill its vital mission of ensuring the safety, efficacy, and quality of America’s drugs and medical devices,” Eshoo said in a recent media statement. “I’m proud that the package includes key portions of my DEPICT Act, which would require clinical trials to include diverse populations so that all Americans can be confident that the treatments being developed work for patients, regardless of backgrounds. I look forward to working with the Senate to pass my legislation and get it to the President’s desk to be signed into law.”

The legislative move follows a similar measure adopted by the U.S. Department of Health & Human Services’ FDA agency, which announced in April the availability of draft guidance that provides recommendations to the healthcare industry regarding cybersecurity device design, labeling, and the documentation that the agency recommends to be included in premarket submissions for devices with cybersecurity risks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.