The $1.7 trillion omnibus spending bill signed into law last week by President Joe Biden contains new cybersecurity requirements for medical devices that make it a game changer for strengthening security within the healthcare ecosystem, says Dr. Suzanne Schwartz of the U.S. Food and Drug Administration.
“After a good number of years informing the ecosystem how critical cybersecurity is to patient safety and the security of the healthcare and public health critical infrastructure, we now have validation and acknowledgment of its criticality by having this put into law,” says Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the FDA’s Center for Devices and Radiological Health.
Many of the provisions included in the new legislation – the Consolidated Appropriations Act of 2023 – broadly mirror actions that the FDA has already been urging medical device makers to take in ensuring the cybersecurity of their products.
Similar proposals were also contained in a handful of previous bills aimed at improving medical device cybersecurity – such as the PATCH Act last year – that did not gain traction as stand-alone bills (see: Medical Device Security Provision Now Part of Spending Bill).
But now, under the new law, manufacturers, in their product submissions to the FDA, must include sufficient evidence of the device’s ability to be updated and patched and its security controls and testing, as well as provide a software bill of materials for commercial, open-source and off-the-shelf software components.
“That is required upfront,” Schwartz says in an interview with Information Security Media Group.
Life Cycle Security
While the law pertains to new products, “those measures taken in the early stages will further enable us to have far more secure devices throughout the life cycle, as those devices stay on the market and are in clinical use – as opposed to what we currently face – which have frankly been very challenging to be updated or patched in a secure manner,” she says.
“Even though we have said over and over that cybersecurity of medical devices is not optional and not voluntary, we’ve never had until now the power of statute, of actual legislation, requiring manufacturers to address cybersecurity of medical devices,” she says.
“Putting that link between reasonable assurances of safety and effectiveness of medical devices to medical device cybersecurity – that is highly significant for us,” she says.
In the past, the FDA used its “implicit authority” through its quality system regulation to help advance the state of the ecosystem for cybersecurity, according to Schwartz.
“Now we have explicit authorities and oversight for doing so. That’s a massive shift, and we’re quite excited about what the future holds in store.”
The legislation also provides the FDA with $5 million in funding to help support its expanded medical device cybersecurity regulatory efforts.
In this audio interview with Information Security Media Group (see audio link below photo), Schwartz also discusses:
- Key takeaways for medical device makers and healthcare delivery organizations regarding the potential impact of the newly enacted law and the FDA’s enforcement of the new medical devices cybersecurity requirements;
- The future of the FDA’s updated draft guidance for the cybersecurity of premarket medical devices issued last April;
- How the new law meshes with President Biden’s 2021 executive order for bolstering cybersecurity in the federal government and the implications of other significant security provisions contained in the legislation.
Schwartz supports the FDA’s medical device cybersecurity program, which includes raising awareness, educating, and conducting outreach, partnering and coalition building within the healthcare and public health sector, as well as fostering collaborations across other government agencies and the private sector. She also chairs CDRH’s cybersecurity working group, tasked with formulating the FDA’s medical device cybersecurity policy, and has served as co-chair of the Government Coordinating Council for the healthcare and public health critical infrastructure sector.