Omnibus Appropriations Bill Includes Medical Device Cybersecurity Provisions

The House and Senate Appropriations Committees has released information about a $1.7 trillion omnibus appropriations bill, which if approved, will make sure that the government stays financed up to September 30, 2023. The Senate has actually begun deliberating the bill and this week, the House will decide on the bill. The bill needs to be approved by the president before the government funding expires.

The 4,155-page bill includes the following healthcare provisions that would enable hospitals and health systems to offer better patient care:

  • the prohibition of the 4% Medicare PAYGO slashes to providers
    financial assistance for rural hospitals to ensure their continuous operations
  • steps to help states get ready for Medicaid eligibility when the COVID-19 Public Health Emergency concludes
  • extensions and broadening of telehealth flexibilities up to December 31, 2024 to ensure that patients get accessible medical treatment through the telehealth and hospital-at-home programs.

The bill will likewise give money for important behavioral health programs and a number of conditions that will grow the medical care staffing.

The bill recommends funding of $120.7 billion for the Department of Health and Human Services. It increases the HHS funds by $9.9 billion more than in 2021. Here are the other changes in funding amounts:

  • $100 million more for the Centers for Medicare and Medicaid Services
  • $2.5 billion more for the National Institutes of Health to be spent on research on a variety of diseases and medical problems
  • $760 million more for the Centers for Disease Control and Prevention, mostly to finance basic public health activities and emergency readiness
  • $970 million more for the Substance Abuse and Mental Health Services Administration to fund mental health programs and expanded service access

The Food and Drug Administration (FDA) appropriations bill was approved in September to make sure the FDA would get funds continuously, however, to ensure the bill is approved, the FDA had to remove its recommended medical device cybersecurity requirements, a lot of of which were obtained from The Protecting and Transforming Cyber Health Care (PATCH) Act. The Senate Republican leadership blocked those requirements.

But the good news is that the omnibus appropriations bill contains new requirements in the approval of devices created by medical device manufacturers making sure they satisfy particular minimum standards for cybersecurity. Those conditions will be effective 90 days after passing the bill.

The requirements include presenting a plan to the Secretary of the FDA to check, identify, and handle postmarket cybersecurity flaws and exploits. There must be coordinated disclosure of a vulnerability and relevant processes. The devices and related systems must be safe and include postmarket software and firmware updates and patches. Medical device producers will additionally need to present a Software Bill of Materials (SBOM) to the Secretary of the FDA that consists of all existing, open source, and critical elements utilized by the devices.

The bill requires the FDA to give extra resources and facts on enhancing the cybersecurity of medical devices in 180 days, and yearly afterward, which include details on determining and dealing with cyber vulnerabilities for healthcare companies, health systems, and device producers. In one year, the Government Accountability Office needs to give a report that pinpoints the challenges encountered by health systems, healthcare providers, patients, and device producers in handling vulnerabilities, and how federal organizations can reinforce coordination to boost device cybersecurity.

HIPAA required the development of a unique patient identifier (UPI), however, there is no funding provided to date. The appropriations bill still prohibits financing for a national patient identifier, although a UPI could help to make sure that patients are correctly related to the proper medical records.