The FDA appropriations bill passed this week includes a previously introduced medical bill that requires developers to create processes for identifying and addressing security vulnerabilities and threats and to include software bills of materials. It did not contain equipment cybersecurity rules.
Passage of the bill “will reauthorize the FDA’s user fee agreement for a five-year period so that the agency will not be required to issue pink slips,” said Rep. Frank Pallone Jr., chairman of the Energy and Commerce Commission. , DN.J. said in a statement.
However, the law does not include much-needed cybersecurity requirements for medical devices to ensure the security of cyberdevices that enter the market.
Reauthorize the royalties agreement passed by the House of Representatives in June with overwhelming bipartisan support. While this comprehensive package aims to reauthorize FDA royalty agreements, target low costs, support innovation, and improve generic drug competition, the legislation will also address cyber threats throughout the lifecycle of a medical device. It also aims to strengthen regulatory requirements to ensure security.
One of the more important factors is that all manufacturers issuing premarket submissions for cyber devices should ensure that their devices meet cybersecurity requirements with reasonable assurances of their safety and effectiveness. It was to request the inclusion of relevant information.
Many of these elements were drawn from the highly acclaimed The Protection and Transforming Cyber Health Care (PATCH) Act, introduced in April, and related bills introduced by the House of Representatives on March 29.
“After the House passed the user fee package, bipartisan energy and commerce and HELP leaders reached consensus on language covering many key policy areas we wanted to include in the ongoing resolution,” said Palone. said.
“Unfortunately, Republican leadership in the Senate blocked these policy agreements from being included,” he added.
On the bright side, Senators Patti Murray (D-Wash) and Senators Richard Burr (R. These important priorities.”
Providers cannot wait for Congress to take action on medical device security
The move appears to put a pause on Congress’ efforts to make changes to medical device security requirements, but stakeholders have noted the importance of passing reauthorization first and foremost. increase. It is important to note that the FDA itself continues to work on these requirements as an agency initiative.
Government efforts tend to be slow-paced, and some of the slowdown in FDA approval is due to the government’s “senate bill’s diagnostic problem (an entirely different challenge), the House amendment’s cybersecurity, and judicial diversity requirements.” Naomi Schwartz, senior director of cybersecurity quality and safety at MedCrypt, said:
Efforts like this require a great deal of engagement between the agency and parliament, and “we don’t have enough time to get it all done at once,” she added. more important. Like the PATCH method, the VALID method requires a lot of involvement.
Given the complexity of the problem and the process itself, it’s best to treat the elements separately.
Ordr president and CEO Greg Murphy said the removal of cybersecurity provisions from user bills “shows why healthcare providers cannot wait for government regulation before acting.” says. Congress and federal agencies are fully aware of the risks fragile medical devices and cyberattacks pose to healthcare, but as noted earlier, federal efforts will take time.
Attackers continue to advance while providers await federal assistance. Instead, Murphy stressed that hospitals must “proactively identify and address vulnerabilities rather than waiting for legislators” to keep their organizations and patients safe.
“Regulators play a key role in facilitating the adoption of critical protective measures, but waiting for these regulations to force changes is not good policy for hospitals,” he concluded. “The PATCH Act and other bills show Congress is aware of the problem, but even the best-case legislative scenario could have a meaningful positive impact on healthcare security.” can take years.”
