January 11, 2022
By Axel Wirth, MedCrypt Chief Security Strategist, and Naomi Schwartz, MedCrypt Senior Director of Cybersecurity Quality and Safety
The ‘‘Consolidated Appropriations Act, 2023’’ (H.R. 2617) was passed by the U.S. Senate and signed into law by President Biden on December 29, 2022. The $1.7 trillion omnibus spending bill accomplishes a number of objectives, including funding the US government through the 2023 fiscal year as well as a set of foreign and domestic policy goals ranging from support for Ukraine, defense, and natural disaster aid. Further, it will have significant implications for the healthcare industry as well as cybersecurity in general and specifically for how security for medical devices is regulated and enforced.
The general cybersecurity provisions include significant funding to improve offensive capabilities across all levels of government and industry organizations as well as critical infrastructure industries, for example technology modernization, acquisition visibility, infrastructure improvements, hiring and education. Furthermore, the Act includes investments into cyber-defense (e.g., cybercrime and law enforcement, reduction of cyber-espionage or sabotage risks, threat intelligence sharing, reduction of cyber risk to the civilian population).
Included is also the Food and Drug Omnibus Reform Act (FDORA), providing approximately $6.56 billion in total funding for FDA for the fiscal year 2023. This is especially timely for the healthcare industry. After years of increasing cyber compromises (e.g., a 12% average YoY increase in reported data breaches) combined with multiple other stressors (e.g., staffing shortages, revenue shortfall, pandemic response), improving the healthcare sector’s security posture has become an urgent priority for government and industry alike.
Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) are explicitly referenced with increasing authorities and funding, the latter to ensure cybersecurity of medical devices by amending the Federal Food, Drug, and Cosmetic Act to explicitly include statutory authority to regulate cybersecurity of medical devices where in the past, cybersecurity was considered as part of the risk management process and was based on interpretation of existing Quality System Regulations and recommendations via guidance.
These amendments take effect 90 days after the date of enactment of this Act.
Manufacturers must now include evidence of security controls and security testing, as well as plans to maintain device’s security posture through updates and patches, all supported by documented evidence, e.g., a software bill of materials for commercial, open-source, and off-the-shelf software components.
These requirements are applicable to devices and systems that include software, can connect to the internet, and could be vulnerable to cybersecurity threats. To meet all aspects of these requirements, new regulations may need to be developed.
Reasonable assurance of the safety and effectiveness of devices may require assurance of cybersecurity, including for devices previously approved or cleared. As stated in the Act: “Nothing in this section, including the amendments made by this section, shall be construed to affect the Secretary’s authority related to ensuring that there is a reasonable assurance of the safety and effectiveness of devices, which may include ensuring that there is a reasonable assurance of the cybersecurity of certain cyber devices, including for devices approved or cleared prior to the date of enactment of this Act.”
The need to improve the healthcare sector’s cyber resilience is clearly expressed in various sections of the Omnibus Act. This goes hand-in-hand with other cybersecurity initiatives (current and expected) under the Biden administration that will aim to further reduce cyber-related risks to the healthcare sector in general and medical devices specifically.
Additional executive and legislative efforts can be expected to help bring the entire industry up to a minimum standard for cybersecurity. This may include financial incentives for hospitals to adopt minimum cybersecurity requirements. Such a blueprint was recently published by US Senator Warner highlighting three focus areas:
The Omnibus Act outlines supporting efforts across government agencies, including FDA, CISA, and HHS, that can be expected and lays out significant budget increases to lay the groundwork — e.g., a budget increase for HHS to $121 billion, and $5 million for FDA specifically for medical device cybersecurity efforts.
In healthcare, cybersecurity is directly related to patient safety and hospitals’ ability to deliver timely and quality care. In a recent interview, Dr. Suzanne Schwartz, Director of the Office of Strategic Partnerships & Technology Innovation, FDA CDRH, stated “Even though we have said over and over that cybersecurity of medical devices is not optional and not voluntary, we’ve never had until now the power of statute, of actual legislation, requiring manufacturers to address cybersecurity of medical devices.”
In other words, FDA’s traditional implicit authority via regulation of quality systems has now become an explicit authority that enables direct oversight in matters of cybersecurity.
The statutory authority and appropriations allocated to FDA should lead to increased resources, training and awareness of cybersecurity across CDRH. Increased resources will lead to more consistent review, more secure devices going to market and increased scrutiny of security in the postmarket. This is a huge win for device users as it will improve the security of devices across the board, increase transparency of security measures taken by MDMs, improve communications between MDMs and device users, and accelerate adoption of best practices.
The provisions of the Omnibus Act go hand in hand with President Biden’s national cyber strategy to make critical infrastructure more secure. This new, comprehensive cybersecurity strategy is expected to be announced in the coming weeks. It will shift away from the previous voluntary approach focused on information sharing and public-private partnerships and shift towards a regulatory approach to ensure national security and public safety.
Recognizing the need for progress on a national level, executive and congressional action will be required to support a combination of new regulation and the shifting of liability. Critical sectors need a higher but also consistent level of security. Harmonization across sectors and government agencies and establishing a security baseline will also prevent confusion and inefficiencies through a patchwork of regulations and enforcement.
Want to learn more about the Omnibus Act and medical device cybersecurity? Contact us info@medcrypt.com and visit us at medcrypt.com.
December 13, 2024
December 4, 2024
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information