Biden signs bill implementing healthcare cybersecurity measures

On December 29th, President Biden signed a $1.7 trillion omnibus government spending bill for the fiscal year 2023, which includes important healthcare cybersecurity provisions, most notably an amendment to the Federal Food, Drug, and Cosmetic (FD&C) Act that requires medical device manufacturers to meet certain cybersecurity standards.

Among the new mandates, medical device makers must submit to FDA:

• A plan detailing how they will monitor, identify and address post-market cybersecurity vulnerability and exploits, including coordinated vulnerability and related procedures.
• A software bill of materials to the agency that includes all off-the-shelf, open-source, and critical components used by the devices.

Further, medical device manufacturers must ensure their devices and associated systems are secure, and they will be required to release post-market software and firmware updates and patches throughout the lifecycle of the device.

The bill acknowledged the need for additional resources for device cybersecurity, mandating FDA to provide information on improving the cybersecurity of medical devices within 180 days and annually thereafter, including guidance on how to identify and address cyber vulnerabilities for healthcare providers, health systems, and device manufacturers.

Related article: Support broadens for Improving Digital Identity Act

Additional federal responsibilities laid out in the bill include a required report issued from the Government Accountability Office (GAO) within one year that identifies the cybersecurity challenges for devices, including legacy devices with limited software security updates. The report is also required to look at the hurdles healthcare providers, health systems, patients, and device manufacturers face in accessing federal support, as well as how federal agencies can strengthen coordination to improve the cybersecurity of devices.

Healthcare cybersecurity carryovers from PATCH

Many of the funding bill’s healthcare cybersecurity requirements came from provisions stripped out of the earlier Protecting and Transforming Cyber Health Care (PATCH) Act.

In early December, the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) shared their comments on Sen. Warner’s paper entitled “Cybersecurity is Patient Security” in a letter that reaffirmed their support for PATCH.

While the lionized PATCH Act did not pass, it serves as the foundation for this healthcare cybersecurity amendment, which is a big step toward healthcare information security.

“CHIME and AEHIS members are encouraged by the much-needed Congressional focus on cybersecurity in the healthcare sector. Our members are dedicated to cybersecurity best practices, but providers have long needed additional, federal support to defend themselves from the increasingly sophisticated cyberattacks,” said CHIME President and CEO, Russ Branzell.