FDA’s User Fee Authorization Bill Medical Device Cybersecurity Requirements Removed By Senate Republicans

The United States Food and Drug Administration (FDA) user fee authorization bill that was approved by the House of Representatives in early June contained new provisions demanding medical device manufacturers to label all devices with a software bill of materials, to adequately monitor for and rectify postmarket cybersecurity flaws in their devices, and ensure all devices are able to receive updates to ensure cybersecurity for the entirety of the devices’ lifecycles. By a vote of 392-28, the law was approved. However, the cybersecurity provisions have since been removed.

With time running out, the FDA bowed to pressure from Senate republicans and removed the new cybersecurity requirements for medical device manufacturers. The FDA’s permission to collect fees from the health industry to conduct independent assessments of drugs and medical devices was set to expire on September 30. The FDA estimated that it would only be able to carry out its assessment efforts for around five weeks before its funding ran out if its five-year authorisation was not extended. According to the renewal that was part of the recently enacted temporary funding bill, the FDA and the rest of the federal government will be financed through December 16, 2022. 

“After the House passed its user fee package, bipartisan Energy and Commerce and HELP leaders came to agreement on language to cover many significant policy areas that we wanted included in the Continuing Resolution”, stated Frank Pallone, Chairman of the Energy and Commerce Committee.“Unfortunately, Senate Republican leadership blocked these policy agreements from being included.” The Senate received a different version of the bill that would reform the regulation of diagnostics and give the FDA more control over supplements and cosmetics. According to lawmakers in both houses, several of the provisions will likely be revisited before the end of the year. 

Although disappointing, the elimination of the cybersecurity standards is not unexpected. To maintain the security of their networks, the confidentiality of their information, and the safety of their clients, experts state that healthcare organizations should not wait for legislative reforms. Instead, they should take proactive measures to discover and fix any weaknesses in medical equipment.