Omnibus Act Impact on Medical Device Cybersecurity

--

By Axel Wirth, MedCrypt Chief Security Strategist, and Naomi Schwartz, MedCrypt Senior Director of Cybersecurity Quality and Safety

The ‘‘Consolidated Appropriations Act, 2023’’ (H.R. 2617) was passed by the U.S. Senate and signed into law by President Biden on December 29, 2022. The $1.7 trillion omnibus spending bill accomplishes a number of objectives, including funding the US government through the 2023 fiscal year as well as a set of foreign and domestic policy goals ranging from support for Ukraine, defense, and natural disaster aid. Further, it will have significant implications for the healthcare industry as well as cybersecurity in general and specifically for how security for medical devices is regulated and enforced.

House Appropriations Committee

The general cybersecurity provisions include significant funding to improve offensive capabilities across all levels of government and industry organizations as well as critical infrastructure industries, for example technology modernization, acquisition visibility, infrastructure improvements, hiring and education. Furthermore, the Act includes investments into cyber-defense (e.g., cybercrime and law enforcement, reduction of cyber-espionage or sabotage risks, threat intelligence sharing, reduction of cyber risk to the civilian population).

Included is also the Food and Drug Omnibus Reform Act (FDORA), providing approximately $6.56 billion in total funding for FDA for the fiscal year 2023. This is especially timely for the healthcare industry. After years of increasing cyber compromises (e.g., a 12% average YoY increase in reported data breaches) combined with multiple other stressors (e.g., staffing shortages, revenue shortfall, pandemic response), improving the healthcare sector’s security posture has become an urgent priority for government and industry alike.

FDA & CISA

Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) are explicitly referenced with increasing authorities and funding, the latter to ensure cybersecurity of medical devices by amending the Federal Food, Drug, and Cosmetic Act to explicitly include statutory authority to regulate cybersecurity of medical devices where in the past, cybersecurity was considered as part of the risk management process and was based on interpretation of existing Quality System Regulations and recommendations via guidance.

These amendments take effect 90 days after the date of enactment of this Act.

Manufacturers must now include evidence of security controls and security testing, as well as plans to maintain device’s security posture through updates and patches, all supported by documented evidence, e.g., a software bill of materials for commercial, open-source, and off-the-shelf software components.

Specifically, this includes:

  • development of plans to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure;
  • design, development, and maintenance processes to assure a device is cybersecure;
  • availability of postmarket updates and patches to the device at regular cycles for known unacceptable vulnerabilities and out of cycle critical vulnerabilities that could cause uncontrolled risks;
  • “provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.”

These requirements are applicable to devices and systems that include software, can connect to the internet, and could be vulnerable to cybersecurity threats. To meet all aspects of these requirements, new regulations may need to be developed.

Photo by Piron Guillaume on Unsplash

Reasonable assurance of the safety and effectiveness of devices may require assurance of cybersecurity, including for devices previously approved or cleared. As stated in the Act: “Nothing in this section, including the amendments made by this section, shall be construed to affect the Secretary’s authority related to ensuring that there is a reasonable assurance of the safety and effectiveness of devices, which may include ensuring that there is a reasonable assurance of the cybersecurity of certain cyber devices, including for devices approved or cleared prior to the date of enactment of this Act.”

Specific steps after enactment of the Act include:

  • within 2 years, and periodically thereafter, FDA, in consultation with CISA, shall review and update the previously provided Guidance on the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices;
  • not later than 180 days, and not less than annually thereafter, FDA shall provide updated public information regarding improving cybersecurity of devices;
  • not later than 1 year, the GAO shall publish a report identifying challenges in cybersecurity for devices, including legacy devices; how Federal agencies can strengthen coordination to better support cybersecurity for devices; and statutory limitations and opportunities for improving cybersecurity for devices.

Other provisions in the Act address a broad range of related topics, for example:

  • a required report by the FTC on ransomware and other cyber-related attacks;
  • establishment of a panel of the Medical Devices Advisory Committee for the purpose of providing advice on topics related to medical devices used in pandemic preparedness and response;
  • predetermined change control plans for certain devices to assure continued safety and efficacy.
  • protection of clinical trial participant data;

The need to improve the healthcare sector’s cyber resilience is clearly expressed in various sections of the Omnibus Act. This goes hand-in-hand with other cybersecurity initiatives (current and expected) under the Biden administration that will aim to further reduce cyber-related risks to the healthcare sector in general and medical devices specifically.

Photo by Harold Mendoza on Unsplash

Additional executive and legislative efforts can be expected to help bring the entire industry up to a minimum standard for cybersecurity. This may include financial incentives for hospitals to adopt minimum cybersecurity requirements. Such a blueprint was recently published by US Senator Warner highlighting three focus areas:

  • improving the cybersecurity risk posture in the healthcare sector;
  • identifying ways that the federal government can help the private sector meet cyber threats;
  • developing policies that could help healthcare providers respond to attacks.

The Omnibus Act outlines supporting efforts across government agencies, including FDA, CISA, and HHS, that can be expected and lays out significant budget increases to lay the groundwork — e.g., a budget increase for HHS to $121 billion, and $5 million for FDA specifically for medical device cybersecurity efforts.

In healthcare, cybersecurity is directly related to patient safety and hospitals’ ability to deliver timely and quality care. In a recent interview, Dr. Suzanne Schwartz, Director of the Office of Strategic Partnerships & Technology Innovation, FDA CDRH, stated “Even though we have said over and over that cybersecurity of medical devices is not optional and not voluntary, we’ve never had until now the power of statute, of actual legislation, requiring manufacturers to address cybersecurity of medical devices.”

In other words, FDA’s traditional implicit authority via regulation of quality systems has now become an explicit authority that enables direct oversight in matters of cybersecurity.

The statutory authority and appropriations allocated to FDA should lead to increased resources, training and awareness of cybersecurity across CDRH. Increased resources will lead to more consistent review, more secure devices going to market and increased scrutiny of security in the postmarket. This is a huge win for device users as it will improve the security of devices across the board, increase transparency of security measures taken by MDMs, improve communications between MDMs and device users, and accelerate adoption of best practices.

The provisions of the Omnibus Act go hand in hand with President Biden’s national cyber strategy to make critical infrastructure more secure. This new, comprehensive cybersecurity strategy is expected to be announced in the coming weeks. It will shift away from the previous voluntary approach focused on information sharing and public-private partnerships and shift towards a regulatory approach to ensure national security and public safety.

Recognizing the need for progress on a national level, executive and congressional action will be required to support a combination of new regulation and the shifting of liability. Critical sectors need a higher but also consistent level of security. Harmonization across sectors and government agencies and establishing a security baseline will also prevent confusion and inefficiencies through a patchwork of regulations and enforcement.

Want to learn more about the Omnibus Act and medical device cybersecurity? Contact us info@medcrypt.com and visit us at medcrypt.com.

--

--