Third Party Risk Management, Critical Infrastructure Security, Endpoint Security
Bipartisan legislation seeks to allow FDA to require cyber details from manufacturers
Marianne Kolbasuk McGee (HealthInfoSec) •
April 5, 2022
Bipartisan bills introduced in the US Senate and House of Representatives aim to strengthen health care infrastructure by requiring medical device manufacturers to implement certain critical cybersecurity measures for the pre-market regulatory approval process and life cycle of their products.
See also: Third Party Risk: Log4j Lessons
sens. Bill Cassidy, R-La., and Tammy Baldwin, D-Wisc.He introduced the Cyber Health Care Protection and Transformation Act, or PATCH, into the Senate on Thursday, which contains the medical device proposals.
Furthermore, the representative Michael Burgess, R-Texas, and Rep. Angie Craig, D-Minnesota, introduced supplemental legislation in the House on March 29.
Both the Senate and House version PATCH Act contain the same propositions.
“In recent years, we have seen a significant increase in cyberattacks that have exposed vulnerabilities in our health care infrastructure, impacting patients across Wisconsin and the country. We must build on these lessons learned to better protect patients,” he says. Baldwin in a joint statement with Cassidy.
“New medical technologies have incredible potential to improve health and quality of life. If Americans cannot trust that their personal information is protected, this potential will never be realized,” says Cassidy, who is a physician, in the statement. .
Cassidy is also a co-sponsor of another Senate bill, the Healthcare Cybersecurity Act of 2022introduced in March with Sen. Jacky Rosen, D-Nevada, proposing closer collaboration between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, also with the goal of strengthening cybersecurity in the health and public health (see: Bill touts CISA and HHS teaming up to help keep the health sector safe).
PATCH Act Proposals
Among his proposals, the PATCH Act, if signed into law, would amend the federal Food, Drug, and Cosmetic Act so that the Food and Drug Administration can require manufacturers to implement certain cybersecurity requirements when manufacturers request the FDA premarket approval of its devices.
The PATCH Act also:
- Require manufacturers to design, develop, and maintain processes and procedures to update and patch medical devices and related systems throughout the life cycle of the device;
- To establish a software bill of materials for the device, including components such as off-the-shelf, open-source, and commercial software, to be submitted to the FDA and provided to users;
- Require the development of a plan by the device manufacturer to monitor, identify, and address post-market cybersecurity vulnerabilities;
- Request a coordinated vulnerability disclosure to demonstrate the security and effectiveness of a device.
Pushing the ‘laggards’
Some experts say that while some medical device manufacturers are already taking many of the steps proposed by the legislation to improve the cybersecurity of their products, others are not.
“Many manufacturers are already very proactive, with thought leaders in many working groups,” says Michael Holt, president and CEO of health security company Virta Labs. “However, some lagging manufacturers need to improve cyber hygiene.”
But if it becomes law, the legislation could also potentially create other challenges for some device manufacturers, he says. “The argument is that by developing newer devices and technologies, this could slow down life-saving innovation by increasing the resources needed for cybersecurity and therefore time to market.
“A lot of startups don’t even know where to start with cybersecurity implementation. The number of unpatched devices in use is incredible and it would take a lot of human resources to do the updates,” says Holt.
Currently, the FDA’s cybersecurity guidance for premarket and postmarket medical devices are considered “non-binding” recommendations for manufacturers.
The FDA in 2018 issued a drought to update its cybersecurity guidance for medical device pre-marketing, which had been issued in 2014.
That 2018 draft proposed that medical device manufacturers provide a “cybersecurity bill of materials” for their products. But the FDA has not yet finalized that updated guidance. FDA officials They have said regulators plan to release revised draft guidance, but no timeline has been announced.
In addition, the FDA in December 2016 published post-market orientation on how medical device manufacturers should help maintain the cybersecurity of network-connected devices once they are in use.
The FDA did not immediately respond to Information Security Media Group’s request for comment on the proposed legislation.
It was time?
The PATCH Act “will implement cybersecurity protocols and procedures for manufacturers seeking premarket approval through the FDA to ensure users are properly equipped to deal with foreign or domestic companies.” data hijacking attacks It’s time to examine how to modernize and protect our health care infrastructure,” Burgess says in a joint statement with co-sponsor Craig on the House legislation.
Bad actors have increasingly relied on cybersecurity vulnerabilities to take advantage of unsuspecting people and undermine national security, according to the statement. “That trend is especially alarming when it comes to personal medical devices, which can be exploited by cybercriminals, threatening the health and well-being of countless Americans,” says Craig.
Some industry experts say the PATCH bill’s intent to help improve medical device cybersecurity is an important goal.
“This is a good idea, although it’s unfortunate that it requires legislation,” says former healthcare CIO David Finn, vice president of education and networking associations within the College of Healthcare Information Management Executives, a professional organization of Healthcare CISO.
“The FDA should require this. Voluntary action hasn’t driven improvement, except to identify that there are more problems than we knew about,” he says.
Finn says promising medical technologies can’t succeed if patients and providers can’t trust them to be safe from attack, which means devices must be operational and available during an attack or outage, and the Confidential patient information stored on them must be protected.
“During and post-COVID-19, remote care, remote monitoring took on a new urgency and in some cases criticality. It will be more important than ever to keep patients safe by ensuring that devices are built and deployed using privacy and security by design.
Work in progress
The Healthcare Supply Chain Association, an industry group, says it is pleased to see the proposed PATCH Act legislation incorporate provisions that are “generally consistent” with recent guide the group issued regarding cybersecurity recommendations for medical devices and services (see: Why SBOMs in the Healthcare Supply Chain are Critical).
“As information technology, software and medical devices play an increasingly important role in healthcare, it is more important than ever to ensure that cybersecurity threats do not jeopardize the health, safety and security patient privacy,” Todd Ebert, president and CEO of the HSCA, told ISMG.
He says: “While we take a cautious approach to additional regulatory burdens for healthcare supply chain participants, the proposed legislation is indicative of broad bipartisan support for improving cybersecurity and could help clarify cybersecurity requirements.” for medical device manufacturers.
Greg Garcia, executive director of cybersecurity at the Health Sector Coordinating Council, says the PATCH Act proposals are “everything the health sector has been working on with the FDA and between health care organizations and medical device manufacturers.
For example, the HSCC and its working groups have also made efforts to help the industry address some of the challenges around medical device cybersecurity, according to Grant.
“Our published model contract language and ongoing work on model vulnerability communications and legacy medical device cybersecurity management, all address the bill’s provisions and support the use of software BOMs.” (see: Template aims to help add cyber into medical device contracts).
“Patient safety requires cybersecurity,” Garcia says.