Bill Calls on FDA to Regularly Update Medical Device Security Guidelines

June 14, 2022 - The recently introduced Strengthening Cybersecurity for Medical Devices Act called on the US Food and Drug Administration (FDA) to review and update its medical device security guidelines more frequently.

Introduced by Senators Jacky Rosen (D-NV) and Todd Young (R-IN), the bipartisan legislation would specifically require the FDA to work with the Cybersecurity and Infrastructure Security Agency (CISA) to review industry guidance, make appropriate updates every two years, and provide the industry with new information on improving the cybersecurity of medical devices.

That new information should include guidance on identifying and addressing medical device security vulnerabilities and how providers, health systems, and medical device manufacturers can effectively get support from CISA, HHS, and other government entities.

“Medical devices are increasingly connected to the Internet or other health care facility networks to provide features that improve the ability of health care providers to treat patients,” Young said in an accompanying press release.

“Our bill helps ensure medical devices are protected from cyberattacks and used safely and securely in order to reduce risks and vulnerabilities for patients.”

In addition, the act would require a report from the Government Accountability Office (GAO) evaluating the challenges that providers, health systems, and manufacturers face in accessing federal support when addressing medical device security vulnerabilities. The report also must include guidance on how federal agencies can improve coordination to bolster medical device security.

“The thing that makes this Bill important is that it sets out requirements to update the guidance on a more frequent and regular basis, thereby recognizing the dynamic and changing nature of the threat and it lays out responsibility for regularly updating information for improving cybersecurity of medical devices both before and after manufacturing, and, last but not least, a requirement for an independent GAO study identifying the challenges to securing medical devices,” Mac McMillan, CEO and founder of healthcare cybersecurity firm CynergisTek, told HealthITSecurity. 

“One of the biggest challenges that we have in cybersecurity is that the standards and guidance for addressing current risks are often antiquated. To be truly helpful it must be current and that is what this legislation attempts to address. What doesn’t get measured often doesn’t happen. S.4336 adds measurement and accountability.”

Healthcare organizations often maintain thousands of medical devices, many of which are internet-connected. Persistent struggles with securing and keeping track of medical devices, the industry's reliance on legacy systems, and an increased focus on cybersecurity at a federal level have prompted recent legislative action.

In early April, Senators introduced the Protecting and Transforming Cyber Health Care (PATCH) Act with the intention of ensuring medical device security at the premarket stage. Recently introduced FDA user fee legislation also contained medical device security provisions aimed at lessening cybersecurity concerns at the premarket stage. 

These legislative efforts could transform how manufacturers secure medical devices and how federal agencies help healthcare stakeholders navigate medical device security. Rather than waiting on the lengthy legislative process to run its course, healthcare organizations should focus on implementing cybersecurity best practices and proactively mitigating risk.