USA – Strengthening Cybersecurity for Medical Devices

Cybersecurity vulnerabilities are an ever-increasing threat to the medical device industry. There is an urgent need for additional laws and regulations aimed at addressing cybersecurity in the manufacture of medical devices.

Continued Review Of Medical Device Guidance

On 26 May 2022, Bill S.4336, Strengthening Cybersecurity for Medical Devices Act, was introduced to the Senate in the United States. If enacted, the Bill would ensure that the Food and Drug Administration (FDA) frequently reviews and updates its cybersecurity guidelines for medical devices.

Specifically, the Bill aims to “require the Secretary of Health and Human Services, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, to annually review and as appropriate update guidance for industry and FDA staff on medical device cybersecurity, and for other purposes.”

The Bill proposes that every two years, the Secretary of Health and Human Services along with the Director of the Cybersecurity and Infrastructure Security Agency, should review and update the guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”.

The Bill also proposes that the FDA will share information publicly including information on recognising cyber vulnerabilities.

Furthermore, the Bill proposes the publication of a report identifying challenges in cybersecurity for medical devices, as well as methods for Federal Agencies to strengthen coordination and ensure adequate support for cybersecurity of medical devices.

Overall, frequent updates of cybersecurity guidelines would help ensure that devices, and ultimately patients, are protected against the ever-increasing cyberattack risk.

User-Free Programmes

Additionally, House Bill 7667 was passed on 8 June 2022 to amend the Federal Food, Drug, and Cosmetic Act to update and extend the user-fee programs for medical devices.

Importantly, the Bill includes several cybersecurity requirements for medical devices, including the requirement for manufacturers to develop a plan for monitoring and to address postmarket cybersecurity susceptibilities, as well as developing adequate processes and procedures to ensure devices are secure. The Bill also includes a requirement to include a software bill of materials in the device labeling.

These bills follow other recent developments in the area of medical device cybersecurity. The draft guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” was issued in April 2022 and lays down recommendations surrounding the information to be submitted for devices under certain premarket submission types.

Furthermore, the proposed Protecting and Transforming Cyber Healthcare (“PATCH”) act was introduced in March 2022 to address device cybersecurity concerns. 

These recent updates highlight the urgent need for legislation to incorporate requirements to address cybersecurity in medical devices. 

Stay Updated On Medical Device Regulations

For more information, download our in-depth whitepaper covering recent developments in the USA in the area of cybersecurity of medical devices here

To stay on top of the latest news and developments on Medical Devices and other regulations from across the globe speak with our team today

Book Time With Our Team

Learn how C2P can help you stay ahead of medical device regulatory changes and achieve uninterrupted market access.

Book A Demo