Congress is considering several pieces of legislation requiring the FDA to regularly update cybersecurity guidance and better coordinate efforts with other agencies to better safeguard of medical and healthcare technologies from digital threats.
A bipartisan proposal, the Strengthening Cybersecurity for Medical Devices Act, would require the agency to review and update premarket medical device cybersecurity guidance every two years. A second bill, S. 3904, Healthcare Cybersecurity Act, would mandate closer collaboration between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency in addressing threats.
Both come on the heels of House passage in May of H.R. 7667, the Food and Drug Amendments of 2022, which contains a slew of medical device cybersecurity provisions. Among them is a requirement that medical device manufacturers patch unacceptable and critical vulnerabilities and have a plan to address exploitable bugs through coordinated disclosures.
The cybersecurity provisions of the House legislation are a small part of annual legislation reauthorizing the FDA’s user fee programs for medical devices and prescription drugs. The Senate HELP Committee voted last week to advance S. 4348, its version of the FDA user fee reauthorization bill, but that legislation does not contain medical device cybersecurity provisions.