Medical Device Cybersecurity Requirements Stripped from FDA Reauthorization Bill

By | September 30, 2022

The U.S Food and Drug Administration (FDA) user fee reauthorization bill passed by the House of Representatives in June included new provisions requiring medical device manufacturers to monitor for and address postmarket cybersecurity vulnerabilities in their devices, ensure medical devices are labeled with a software bill of materials and are capable of receiving patches to ensure cybersecurity for the entire lifecycle of the devices. The bill was passed with a vote of 392-28; however, those cybersecurity requirements have now been stripped out.

The FDA’s authorization to collect fees from the healthcare sector to conduct independent reviews of drugs and medical devices was due to come to an end on September 30, and with time running out, the FDA bowed to pressure from Senate republicans and stripped out the new cybersecurity requirements for medical device manufacturers. Were the FDA’s 5-year authorization not to be renewed, the FDA anticipated only being able to continue with its review activities for around 5 weeks before its money ran out. The FDA reauthorization was included in a temporary spending bill that has now been passed and will keep the FDA and the rest of the Federal government funded through December 16, 2022.

“In June, the House passed a user fee reauthorization package on time with overwhelming bipartisan support. After the House passed its user fee package, bipartisan Energy and Commerce and HELP leaders came to agreement on language to cover many significant policy areas that we wanted included in the Continuing Resolution,” said Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) in a statement. “Unfortunately, Senate Republican leadership blocked these policy agreements from being included.”

U.S. Senators Patty Murray (D-WA) and Richard Burr (R-NC), Chair and Ranking Member of the Senate Committee on Health, Education, Labor, and Pensions (HELP), issued a statement on the FDA reauthorization. “We are glad to announce an agreement to reauthorize the FDA user fee programs, which will ensure that FDA can continue its important work and will not need to send out pink slips. However, there is more work ahead this Congress to deliver the kinds of reforms families need to see from FDA, from industry, and from our mental health and pandemic preparedness efforts.” The senators confirmed that they are committed to continuing that work, and will be including strong, bipartisan legislation in a robust end-of-year package.

The removal of the cybersecurity requirements is a disappointment but not surprising. Healthcare organizations should not wait for regulatory changes and should ensure that they proactively identify and address vulnerabilities in medical devices to ensure the security of their networks, confidentiality of data, and patient safety.

The post Medical Device Cybersecurity Requirements Stripped from FDA Reauthorization Bill appeared first on HIPAA Journal.