Medical Device Cybersecurity Prerequisites Removed from FDA Reauthorization Bill

The House of Representatives approved the U.S Food and Drug Administration (FDA) user fee reauthorization bill in June along with the new provisions necessitating medical device producers to keep track of and deal with postmarket cybersecurity vulnerabilities found in their units, to make sure that medical devices have labels of a software bill of materials and can get patches to provide cybersecurity for the complete lifecycle of the units. The bill was approved with a 392-28 vote; nonetheless, those cybersecurity demands have been removed.

The FDA’s authorization to receive fees from the healthcare industry to perform third-party reviews of drugs and medical devices will end on September 30, and as time runs out, the FDA gave in to the demand of Senate republicans and removed the new cybersecurity prerequisites for medical device companies. If the FDA’s 5-year authorization will not be renewed, the FDA estimated that it can only proceed with its review activities for about 5 weeks prior to its funds being depleted. The FDA reauthorization was part of a non-permanent spending bill that is already approved and will allow the FDA and the Federal government to get funding until December 16, 2022.

Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) stated that the House approved a user fee reauthorization package on time with astounding bipartisan support. Following the House approval of its user fee package, the leaders of bipartisan Energy and Commerce and HELP wanted to include a lot of essential policy sections including the Continuing Resolution. Sadly, Senate Republican leadership did not approve these policy agreements.

U.S. Senators Richard Burr (R-NC) and Patty Murray (D-WA), and Chair and Ranking Member of the Senate Committee on Health, Education, Labor, and Pensions (HELP), made a statement regarding the reauthorization of the FDA user fee programs to make sure that FDA could carry on its crucial work and will not have to distribute pink slips. Nevertheless, there is extra work for this Congress to provide the types of reforms families must see from FDA, from the industry, and from the mental health and pandemic readiness work. The senators affirmed their commitment to moving forward with that work and the inclusion of strong, bipartisan laws in a strong year-end package.

The taking away of the cybersecurity prerequisites is a disappointment however not shocking. Healthcare companies must not wait for
changes and must make sure that they proactively determine and deal with vulnerabilities present in medical devices to protect the security of their systems, confidentiality of information, and patient security.