Key Medical Device Security Requirements Included in Omnibus Bill

December 21, 2022 - The House and Senate Appropriations Committees released the text of an omnibus appropriations bill that would keep the government funded through September 30, 2023. The document is more than 4,000 pages long and contains a variety of provisions that will impact healthcare, including medical device security requirements for manufacturers.

As previously reported, lawmakers and healthcare leaders have been pushing for further guidance and regulations surrounding medical device security. Healthcare organizations often maintain thousands of medical devices, many of which are internet-connected and could pose security risks. 

Ongoing struggles with securing and keeping track of medical devices, the industry's reliance on legacy systems, and an increased focus on cybersecurity at a federal level have prompted legislative action.

The omnibus bill would allocate $120.7 billion in total spending to HHS, signifying an increase of $9.9 billion, the American Hospital Association (AHA) noted in its bill summary. The funds will go toward a variety of HHS agencies, including CMS, the National Institutes of Health (NIH), and the Centers for Disease Control and Prevention (CDC), with an emphasis on medical research.

Section 3305 of the omnibus bill includes language that would require medical device manufacturers to ensure that their devices meet select cybersecurity requirements. Specifically, manufacturers must “submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures,” the bill states.

Additionally, manufacturers must design and develop processes to make sure that their devices and related systems are secure, which includes postmarket updates and patches. These updates will take effect 90 days after the enactment of the Act.

“Given the increasing use of software in connected medical devices, the cybersecurity provisions included in this year’s omnibus represent a critical step forward in ensuring patient safety,” said Grant Geyer, chief product officer at Claroty.

“Even well-constructed code can contain highly impactful vulnerabilities that can impact the ability of software to function properly, and with the highly prolific use of third-party and open-source software, medical device manufacturers may not even be aware of exploits that can impact patient care.”

The bill would also require manufacturers to provide a software bill of materials (SBOM) to the Secretary including off-the-shelf, open-source, and commercial components.  

“Through the requirement to release a software bill of materials (SBOMs) with their products, they are further compelled to determine if problems exist in the third-party components they leverage in software construction,” Geyer noted.

“Medical device manufacturers can no longer turn a blind eye to the risks posed to patients by security risks in the software they use.”

Additionally, the omnibus bill would require the Food and Drug Administration (FDA) to issue further guidance on improving the cybersecurity of medical devices. The Government Accountability Office (GAO) would also be expected to release a report within the next year to identify remaining challenges surrounding device security.