Sens. Jacky Rosen, D-Nev., and Todd Young, R-Ind., are introducing legislation that would require the U.S. Food and Drug Administration to keep federal guidance on medical device security up to date with rapidly evolving cyber threats to the health industry.
The legislation, first shared with CyberScoop, would impose requirements on the FDA to work with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to issue binding guidance for industry and FDA staff regarding medical device cybersecurity no less than every two years.
The bill also requires FDA to regularly update its website to share cybersecurity vulnerabilities and access to support for health care professionals and industry.
“In light of increased cyber threats, we must strengthen the security of our health care system’s cyber infrastructure,” Rosen said. “This bipartisan bill I introduced with Senator Young will ensure that medical devices and technologies are up to date with the latest cybersecurity, protecting patients and health care systems.”
The legislation also tasks the Government Accountability Office with issuing a report examining medical device cybersecurity challenges and offering recommendations for improving federal coordination on medical device cybersecurity.
Cybersecurity threats against health care have skyrocketed in recent years. In addition to an ongoing scourge of ransomware attacks against medical facilities, the FDA has since 2015 put out more than a dozen alerts on serious vulnerabilities in medical equipment.
Some of these vulnerabilities could be deadly. In 2019 the FDA warned that an insulin pump made by medical device vendor Medtronic had a vulnerability that could allow hackers to change the setting of the device.
At an April hearing in front of the United States Senate Committee on Health, Education, Labor and Pensions, FDA leadership urged Congress to give the agency greater authorities and funding, which is currently just one-tenth of its 2023 budget request for medical device security.
“This is a place where we do not have the full authorities to ensure that these devices are cyber safe,” Jeffrey Shuren, director at the FDA’s Center for Devices and Radiological Health, said in response to a question from Rosen. “And if we don’t we’re going to continue to have threats.”
The FDA last issued cybersecurity guidance in 2018. There are currently no existing requirements for how often the agency has to issue guidance. The FDA in April issued a draft of guidelines for the industry regarding devices with cybersecurity risks. The guidance would apply to not just health care devices, but health care facility networks, a frequent target for ransomware attacks.
The guidance includes recommendations that devices come with a software bill of materials and a new labeling system to convey device risks — both practices highlighted in President Joe Biden’s executive order on federal cybersecurity in 2021.
Rosen, alongside Sen. Bill Cassidy, R-La., introduced separate legislation in March that would also strengthen Health and Human Services’ collaboration with CISA.