Summary: New US Bill Obliges FDA to Release Up-To-Date Cybersecurity Guidelines for Medical Devices

A new bill introduced in the US Senate on May 26th proposes timely updating of cybersecurity guidelines for medical devices and related public resources, and a Comptroller General (the chief accounting officer of the US Government) audit of the support provided and improvements needed in federal agencies to ensure cybersecurity. Titled the ‘Strengthening Cyber-security of Medical Devices Act’ (SCMDA), it was introduced by Senators Jacky Rosen and Todd Young. It has since been referred to the Senate Committee on Health, Education, Labor, and Pensions.

“Medical devices are increasingly connected to the Internet or other health care facility networks to provide features that improve the ability of health care providers to treat patients. Our bill helps ensure medical devices are protected from cyberattacks and used safely and securely in order to reduce risks and vulnerabilities for patients,” Senator Young said in a press release after the introduction of the bill. 

The security and integrity of medical devices is an issue increasingly discussed by lawmakers in other countries. In November 2021, Sajid Javid, former UK Health Secretary, ordered a review of claims of racial bias in medical devices. Weeks before the SCMDA was introduced, the US Senate Committee on Health, Education, Labor, and Pensions heard testimony from a cybersecurity expert on the cybersecurity vulnerabilities of medical devices.

Why it matters: The state of security of medical devices in India gains significance in light of the government’s health digitisation project, the Ayushman Bharat Digital Mission (ABDM), which would also feature “IoT and other devices like wearables”. Further, in India, 80% of sales from medical devices are currently generated from imports. In March, the Department of Pharmaceuticals (DoP) released the draft Medical Devices Policy 2022 with the aim to bolster India’s share in the world medical device market. However, the policy made no mention of any cybersecurity standards or safeguards. The development may prove resourceful for policymakers looking at the regulation of medical devices.

Provisions Made for Cybersecurity in the Bill

i) Reviewing guidelines for cybersecurity of medical devices

• The bill obliges the Secretary of the US Department of Health and Human Services (HHS) to review and update the medical device cybersecurity guidelines—called the ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’—every two years.
• These would guide the industry and staff of the Food and Drug Administration (FDA) on the cybersecurity of medical devices. The FDA, an agency under the Department of Health and Human Services, regulates medical devices in the US and has been responsible for issuing cybersecurity guidelines. However, according to The Verge, there are no obligations laid out presently for the FDA to publish periodic recommendations on how medical device makers should secure their devices.
• The bill says the update and review of cybersecurity guidelines should be undertaken in consultation with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and consider comments from ‘medical device manufacturers, health care providers, and patient advocates.’. The CISA is the agency in charge of ensuring cyber as well as physical security for US infrastructure.
• The HHS Secretary’s updates to the guidelines could be made to specific provisions, that is, they would not require the release of an entirely new set of guidelines, the bill says. The first update should be completed two years after the bill is enacted.

ii) Issuing information for improving cybersecurity in medical devices

Apart from specialised guidance, the bill also lays down obligations with regards to public resources made available by the FDA on cybersecurity in medical devices.

• 180-day or 6-month updates should be made by the HHS Secretary on such information;
• Resources should contain information for health care providers (such as doctors, nurses), healthcare systems, and medical device manufacturers on identifying and addressing vulnerabilities. It should also mention how these entities can obtain support from the CISA, HHS, and other government agencies for cybersecurity.

iii) Comptroller General to release audit report in a year after Act is enforced

Lastly, the bill lays down that the Comptroller General will publish a report on challenges in ensuring the cybersecurity of medical devices. It specifically asks for such a report to also examine the following:

• “Challenges for medical device manufacturers, health care providers, health systems, and patients in accessing Federal support to address vulnerabilities across Federal agencies; and
• How Federal agencies can strengthen coordination to better support cybersecurity for medical devices.”

How Do Medical Devices Fit In with ABDM?

Under the ABDM, medical devices are planned to be used as a data source for a citizen’s Electronic Health Records (EHR). The ABDM’s 2018 strategy paper said that it plans to allow citizens to add readings from “IoT and other devices like wearables” to their PHR. These readings could then be accessed by doctors when users share their electronic health records with them, during medical consultations.

During pilot projects held in Uttarakhand, Bihar, and Pune, the health records of multiple individuals were digitised and stored. They were provided smartwatches for sharing this data with Health Information Users, such as hospitals or doctors. It is expected that these projects will later be integrated with the ABDM.

Further, the NHA has also proposed the creation of a Drug Registry as part of the ABDM. The Drug Registry is proposed to be an all-in-one database for drugs in the country. At a recent consultation meeting, stakeholders asked that medical devices also be included in the Drug Registry, since they are included in the definition of drugs under the Drugs and Cosmetics Act, 1940. The stakeholders said that the inclusion of medical devices in the registry could finally lead to the creation of a comprehensive list of such devices manufactured or sold in India, especially since the use of such devices has increased due to the COVID-19 pandemic.

Also read:

Advertisement. Scroll to continue reading.

Comments are closed.