The $1.7 trillion omnibus appropriations bill signed into law by the U.S. Congress on December 29, 2022 included long-awaited authorization for the Food and Drug Administration (FDA) to establish cybersecurity requirements for manufacturers of internet-connected medical devices.[1] Such devices, which serve important health care functions and store sensitive user data, have become increasingly targeted by cyber hackers.[2] These attacks are part and parcel of the broader threats facing internet-connected or IoT devices.[3]
Although the FDA has been releasing non-binding guidance on the cybersecurity of medical devices since 2014,[4] the new legislation formally empowers the FDA to ensure that medical devices brought to market meet certain minimum cybersecurity standards. The measure is a rare congressional grant of authority for an administrative agency to regulate the cybersecurity of systems and devices that are owned and operated by private companies and individuals, and the standards developed by the FDA may serve as a starting point for regulation of security of Internet of Things devices in other contexts.
Practice Points
- Application to a broad range of devices: The legislation adopts a broad definition for Covered Devices that will be subject to the FDA’s cybersecurity requirements. This broad definition encompasses everything from internet-connected insulin pumps and blood sugar monitors to some popular smartwatches.
- Applicability only to future devices: The legislation will be applicable to only future devices, as opposed to existing devices already on the market. While the legislation requires manufacturers to submit a plan to monitor, identify and address post-market cybersecurity vulnerabilities, these requirements apply only to future premarket submissions.
- Sector-specific regulation: By focusing on the FDA, the legislation signals the federal government’s move towards adopting a sector-specific approach to regulating cybersecurity, deferring to the sector-specific expertise of each regulatory agency. In contrast to prior approaches, such as the industry-agnostic National Institute of Standards and Technology (NIST) Cybersecurity Framework, future legislation may instead authorize agencies to regulate the cybersecurity of entities in their respective areas of expertise.
Details on the Legislation
Since at least 2013, there has been support in Congress for developing security standards for internet-connected medical devices.[5] Threats to connected medical devices, such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps have been observed by the FBI, which reported in September 2022 that these devices have been compromised by hackers to “give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.”[6]
The bipartisan measure here, authorizing the creation of security standards, was passed as part of the omnibus appropriations bill signed into law by President Biden on December 29, 2022. “Covered Devices” under the statute are those devices that “(1) include[] software validated, installed, or authorized by the sponsor as a device or in a device; (2) ha[ve] the ability to connect to the internet; and (3) contain[] any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”[7] The measure incorporates concepts first introduced in March 2022 by a bipartisan group of Senators in the standalone Protecting and Transforming Cyber Health Care (PATCH) Act[8] and amends the Federal Food, Drug, and Cosmetic Act to address these threats and has two primary effects for the industry:
First, premarket submissions to the FDA for Covered Devices must now include certain information related to the cybersecurity of the device. Manufacturers are required to submit a plan to the Secretary of the FDA (the Secretary) to monitor, identify and address post-market cybersecurity vulnerabilities.[9] Manufacturers must also provide the Secretary with a Software Bill of Materials that includes commercial, open-source and off-the-shelf software components used by the device.[10]
Second, the legislation tasks various governmental entities with publishing and providing certain guidance and information. The Secretary is tasked with periodically updating guidance on premarket submissions for managing cybersecurity of medical devices, after soliciting feedback from device manufacturers, health care providers, third-party-device servicers, patient advocates and other appropriate stakeholders.[11] The Secretary must also annually publish information and resources about improving the cybersecurity of medical devices.[12] The legislation also requires the U.S. Government Accountability Office to issue a report that identifies challenges faced by device manufacturers, health care providers, health systems and patients in accessing federal support to address vulnerabilities across federal agencies, and how federal agencies can coordinate to better support device cybersecurity, and statutory limitations and opportunities for improving device cybersecurity.[13]
Gloss