The much-anticipated cybersecurity requirements for medical devices were dropped from the FDA user-fee package, serving as a reminder that healthcare providers should not wait to act on medical device security. (Photo credit: "US Capitol" by Navin75 is licensed under CC BY-SA 2.0.)

The FDA appropriations bill passed this week did not include previously introduced medical device cybersecurity rules requiring developers to create processes for identifying and addressing security vulnerabilities and threats, and to include software bill of materials.

The bill’s passage will “reauthorize the FDA user fee agreements for five years to ensure the agency does not need to issue pink slips,” Energy and Commerce Committee Chairman Rep. Frank Pallone Jr., D-N.J., said in a statement.

However, the legislation no longer includes the long-awaited cybersecurity requirements for medical devices that would ensure the security of cyber devices brought to market.

The reauthorization of user-fee agreements passed in the House with overwhelming bipartisan support in June. While the comprehensive package aimed to reauthorize FDA user-fee agreements, target lower costs, support innovation and improve generic drug competition, the legislation was also designed to bolster the regulatory requirements to ensure cybersecurity throughout the medical device lifecycle.

One of the more important elements would have required any manufacturer issuing premarket submissions of a cyber device to include any relevant information that would ensure the device met cybersecurity requirements with reasonable assurance of safety and effectiveness.

A great deal of these elements were drawn from the highly lauded The Protecting and Transforming Cyber Health Care (PATCH) Act introduced in April and a companion bill introduced in the House of Representatives on March 29.

“After the House passed its user-fee package, bipartisan Energy and Commerce and HELP leaders came to agreement on language to cover many significant policy areas that we wanted included in the continuing resolution,” noted Pallone. 

“Unfortunately, Senate Republican leadership blocked these policy agreements from being included,” he added.

On the bright side, Sens. Patty Murray, D-Wash., and Richard Burr, R-N.C., as well as Pallone, reaffirmed Congress’ commitment to negotiating the inclusion of these elements “ahead of the December government funding deadline to revisit these key priorities.”

Providers can’t wait on Congress to act on medical device security

While the move does seem to press pause on congressional efforts to move the needle on medical device security requirements, stakeholders note the importance of passing the reauthorization first and foremost. It’s important to note that the FDA itself is continuing to work on these requirements as an agency initiative, as well.

Government efforts tend to go at a slower pace, and part of the FDA authorization slowdown was due to the government “looking at the diagnostics issue in the Senate bill (a whole separate ordeal), cybersecurity in the House amendments, and trial diversity requirements,” said Naomi Schwartz, MedCrypt’s senior director of cybersecurity quality and safety.

Efforts like these will take a great deal of engagement between the agency and Congress, and “there simply isn't enough time to achieve all of it at once,” she added. It’s more important to pass the continuing resolution. Like the PATCH Act, the VALID Act will take a lot of engagement.

In light of the complexity of the issues and process itself, the elements are best handled separately.

Ordr President and CEO Greg Murphy notes that the removal of the cybersecurity provisions from the user-fee bill ”illustrates why healthcare organizations can’t wait for government regulations before acting.” Congress and federal agencies are wholly aware of the risk vulnerable medical devices and cyberattacks play on healthcare but, as noted, federal efforts take time.

Threat actors are continuing to forge ahead, while providers wait for federal support. Instead, Murphy stressed that hospitals should be “proactively identifying and addressing vulnerabilities rather than waiting for legislators” to protect the organization and patient safety.

“While regulators have a vital role to play in driving adoption of key protective measures, waiting for those regulations to force change is not good policy for hospitals,” he concluded. “The PATCH Act and other bills show that Congress is aware of the problem, but even a best-case legislation scenario might take years to provide meaningful positive impact in healthcare security.”