Medical Device Cybersecurity Provisions Included in Omnibus Appropriations Bill
The text of a $1.7 trillion omnibus appropriations bill has been released by the House and Senate Appropriations Committees which, if passed, will ensure that the government remains funded until September 30, 2023. The Senate has already started debating the bill and the House is due to consider the bill this week. The bill must be signed by the president on Friday this week, when government funding is set to expire.
The 4,155-page bill includes many healthcare provisions that will help hospitals and health systems provide better care for patients. These include the prevention of the 4% Medicare PAYGO cuts to providers, financial support for rural hospitals to ensure they can continue to operate, measures to help states prepare for Medicaid eligibility changes when the COVID-19 Public Health Emergency comes to an end, and extensions and expansions of telehealth flexibilities until December 31, 2024. This will help to ensure that telehealth and hospital-at-home programs can continue to provide convenient and accessible medical treatment for patients. The bill will also provide funding for essential behavioral health programs and several provisions that will help to increase the healthcare workforce.
The bill proposes $120.7 billion in funding for the Department of Health and Human Services, increasing HHS funds by a further $9.9 billion from last year. Funding for the Centers for Medicare and Medicaid Services will increase by $100 million, the National Institutes of Health will receive an additional $2.5 billion to focus on research on a range of diseases and medical conditions, the Centers for Disease Control and Prevention will receive a further $760 million, primarily to fund fundamental public health activities and emergency preparedness, and the Substance Abuse and Mental Health Services Administration will receive an additional $970 million for mental health programs and for expanding access to its services.
In September, the Food and Drug Administration (FDA) appropriations bill was passed to ensure the FDA continued to be funded, but in order for the bill to be passed, the FDA was forced to drop its proposed medical device cybersecurity requirements, many of which were taken from The Protecting and Transforming Cyber Health Care (PATCH) Act. Those requirements were blocked by the Senate Republican leadership.
Get The HIPAA
Compliance Checklist
Free and Immediate Download
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
There is good news in this regard, as the omnibus appropriations bill includes new requirements for medical device manufacturers to ensure that their devices meet certain minimum standards for cybersecurity. Those requirements will take effect 90 days after the bill is enacted. These include submitting a plan to the Secretary of the FDA to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures, and they must ensure their devices and associated systems are secure and must release postmarket software and firmware updates and patches. Medical device manufacturers will also be required to provide a Software Bill of Materials (SBOM) to the Secretary of the FDA that includes all off-the-shelf, open source, and critical components used by the devices.
The bill calls for the FDA to provide additional resources and information on improving the cybersecurity of medical devices within 180 days, and annually thereafter, including information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers. Within one year, the Government Accountability Office is required to issue a report that identifies the challenges faced by healthcare providers, health systems, patients, and device manufacturers in addressing vulnerabilities, and how federal agencies can strengthen coordination to improve the cybersecurity of devices.
HIPAA called for the creation of a unique patient identifier (UPI), but funding has not been provided to date. The appropriations bill continues to prohibit funding for a national patient identifier, even though a UPI would help to ensure that patients can be accurately linked with the correct medical records.
Gloss