The Omnibus Appropriations Act Grants FDA Formal Authority to Require Cybersecurity Action by Medical Device Manufacturers

Faegre Drinker Biddle & Reath LLP
Contact

Faegre Drinker Biddle & Reath LLP

Cyberattacks affecting internet-connected medical devices like insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps have increased in recent years. And such attacks show no sign of slowing, as the number and type of medical device products that are connected to the cloud increase (thereby increasing the attack surface for hackers), and as hackers become more sophisticated. Indeed, in a September 2022 FBI Private Industry Notification, the FBI noted that around 53% of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities. These vulnerabilities could allow hackers to direct medical devices to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.

In the past, the U.S. Food & Drug Administration (FDA) has urged manufacturers to take measures to ensure the cybersecurity of their products through non-binding guidance. On December 29, 2022, President Biden signed into law the $1.7 trillion Omnibus Appropriations Act, which provided the FDA with authority to require manufacturers to take cybersecurity protection measures as to medical devices that are brought to market through future pre-market submissions. See H.R. 2617 (117th Congress, 2021-2022), text available here.

Section 3305 of the Omnibus Appropriations Act amends the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 351 et seq.) to include cybersecurity requirements for “cyber devices,” which are defined to be devices that:

  • “include[] software validated, installed, or authorized by the sponsor [of an application or submission under sections 510(k), 513, 515(c), 515(f), or 520(m)];”
  • “[have] the ability to connect to the internet;” and
  • “contain[] any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”

This definition includes a broad range of devices, from internet-connected devices in hospitals like smart beds, to pain pumps and insulin pumps, and to wearable technology like smart watches.

Specifically, under the Act, manufacturers of “cyber devices” must include in premarket submissions “such information as the [FDA] Secretary may require to ensure that such cyber device meets” certain cybersecurity requirements. This includes the following:

  • A plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
  • Processes and procedures “to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems to address” vulnerabilities and risks, both on regular cycles and out of cycle.
  • A software bill of materials, including commercial, open-source, and off-the-shelf software components.

The Act explicitly grants the FDA authority to enact “other requirements . . . to demonstrate reasonable assurance” that such devices are secure.

The Act also tasks the FDA and other government entities with publishing and providing certain guidance relating to cybersecurity, including:

  • Guidance on the content of premarket submissions for management of cybersecurity in medical devices (to be prepared after “soliciting and receiving feedback from device manufacturers, health care providers, third-party-device servicers, patient advocates, and other appropriate stakeholders.”).
  • Public resources with information on improving cybersecurity of devices (such as identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers, and how such entities may access support through government entities).
  • Issuance of a report by the Comptroller General of the United States that examines: challenges for stakeholders in accessing federal support to address vulnerabilities across federal agencies; how federal agencies can strengthen coordination to better support device cybersecurity; and, statutory limitations and opportunities for improving device cybersecurity.

Dr. Suzanne Schwartz, the Director of the Office of Strategic Partnerships and Technology Innovation at the FDA’s Center for Devices and Radiological Health, has said that this “explicit authority” constitutes a “massive shift” for the FDA, and that it would be doing “a legal analysis of the statute . . . in terms of what its implications are to help further inform how [the FDA] go[es] forward.”

How will the FDA’s newfound formal authority be implemented and aligned with prior guidance that the FDA has drafted? And what does this formal authority mean for the litigation landscape around internet-connected medical devices? For internet-connected medical devices currently on the market? Stay tuned for Parts 2 and 3 of this series, as we continue to monitor updates from the FDA on its regulation of internet-connected medical devices.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP
Contact
more
less

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide