Omnibus Bill Outlines Key Security Requirements for Medical Devices

An omnibus appropriations bill that would fund the government through September 30, 2023, has been released by the House and Senate Appropriations Committees. The bill, which clocks in at over 4,000 pages, contains a number of provisions that will affect healthcare, such as medical device security requirements for manufacturers.

Lawmakers and healthcare leaders have been advocating for more guidance and regulations in the area of medical device security. With healthcare organizations managing thousands of internet-connected medical devices, the potential for security risks is a genuine concern. The industry’s reliance on legacy systems, combined with an amplified focus on cybersecurity by the federal government, has necessitated legislative action. AHA’s bill summary pointed out that the omnibus bill allocated $120.7 billion in total spending to HHS, a $9.9 billion increase from the previous year. The omnibus bill, Section 3305, states that medical device manufacturers must submit a plan to the Secretary to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures, in a reasonable amount of time. The funds from this bill will be allocated to various HHS departments, such as CMS, NIH, and CDC, with a focus on medical research.

Manufacturers must create processes to ensure the security of their devices and associated systems, including postmarket updates and patches. These changes will come into effect 90 days after the law passes. Grant Geyer, Claroty’s Chief Product Officer, expressed the importance of these cybersecurity provisions included in the omnibus: “The frequent use of third-party and open-source software in connected medical devices can hide significant vulnerabilities which could affect patient care. This is why the cybersecurity measures in the omnibus are so crucial.” In addition, the omnibus bill proposes that manufacturers must supply a software bill of materials (SBOM) to the Secretary which consists of off-the-shelf, open-source and commercial components. John Geyer commented, this requirement “compels them to investigate if there are any issues with the third-party components they are using to build software.” Moreover, the FDA is due to release further guidance on boosting the security of medical devices, and the GAO will present a report in the next year which details the remaining security challenges related to these devices.