2023 US Omnibus Bill: Charting New Frontiers For Medical Device Security
The current state of healthcare cybersecurity is in a flux. Given the continuous rise in the number and extent of attempted and successful cybercrime incidents, healthcare organizations and medical device manufacturers today must have a robust vulnerability management and incident reporting process in place. After all, unaddressed cyber flaws in the medical equipment used by hospitals and clinics are similar to unsecured doors inviting intruders—or in this case, cybercriminals.
Early in 2023, the US Omnibus Appropriations Bill was approved, empowering the US Food and Drug Administration (FDA) with funding and the legal ability to regulate cybersecurity in medical devices.
This marks a new frontier in medical device security, since there is no legislation to specifically address medical device security requirements. Instead, each medical OEM has its own policies and procedures on how they manage cybersecurity for their devices(supporting systems) and offerings based on the guidance provided by FDA.
While in some cases these measures are adequate, in most instances, the cyber vulnerabilities persist.
A secure product development framework must now be implemented by manufacturers, in which cybersecurity is built into the devices. What this means is an adoption of the "secure by design" principle, ensuring the safety and effectiveness of a device with cybersecurity as an integral component, besides enabling a process for tracking vulnerabilities that may be discovered in the future after the product's release.
Device Security IS Device Safety
The Omnibus bill, signed into law in March 2023, goes on to state that the defined cybersecurity requirements must be met by all medical devices that contain software, may connect to the internet, or may be exposed to cyber threats.
It summarizes what the FDA's expectations will be from manufacturers with regard to the evidence they must supply, building on the FDA’s April 2022 advisory. As per its terms, any new application for the approval of a medical device must comply with:
Section 524B - a
Pertaining to submitting a plan to monitor, identify and address (in a reasonable time), post market cybersecurity vulnerabilities, including, vulnerability disclosure and related procedures.
Section 524B – b
The design, development, and maintenance of processes and procedures to assure that the devices and related systems are cybersecure, and to make available post market updates and patches to the device/ related systems. This includes SBOM (software BOM) – commercial, OTS / open-source software components.
Section 524B - c
For software validated, installed, or authorized by the sponsor as device or in a device. This includes technological characteristics validated and installed by sponsor that could be vulnerable to cybersecurity threats.
Section 524B – d - Exemptions and Enactment date
There are some specified instances in the federal register – identified devices / category of devices – that are exempt from meeting the cybersecurity requirements.
The Proposed changes are to be effective April 1, 2023 for all new submission by MedTech OEMs to the FDA.
What this means for you?
After the Omnibus Bill goes into effect, whoever submits a cyber-capable medical device to the FDA is required to:
- Submit to the FDA Secretary a plan to track, recognize, and mitigate post-market cybersecurity exploits and vulnerabilities in a timely manner, including coordinated vulnerability disclosure and related procedures;
- Design, create, and maintain processes and procedures to give a justifiable level of assurance that the device and associated systems are cybersecure, and make post-market updates and patches to the device and associated systems available to address:
- Known unacceptable vulnerabilities on a justifiable regular cycle;
- Critical vulnerabilities as soon as possible out of cycle; and
- Provide to the Secretary of the FDA a software bill of materials, including commercial, open-source, and off-the-shelf software components.
As a medical device manufacturer, the revised landscape therefore offers new opportunities for you to deliver robust cybersecurity capabilities throughout the product lifecycle. In addition to meeting the statutory requirements, it would also help you unlock new value in the market with greater trust and confidence from your customers.
With the Act going in force, we can therefore expect to witness the rise of a revitalized and secured cyber environment across the medical devices landscape, one that would help protect against the growing challenges of cybercriminals worldwide.