As reported this past week by GovInfoSecurity, the Consolidated Appropriations Act of 2023, signed into law in late December 2022, included a key provision to help ensure the cybersecurity of medical devices by their manufacturers. GovInfoSecurity interviewed Dr. Suzanne Schwartz, director of the FDA’s Office of Strategic Partnerships and Technology Innovation, Center for Devices and Radiological Health, about this new piece of legislation.

As stated in the Act, any medical device that meets the definition of a “cyber device” under the Federal Food, Drug, and Cosmetic Act must meet specifically enumerated cybersecurity requirements. Specifically, any sponsor of an application or submission shall:

  1. submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
  2. design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address:
    • on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
    • as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;
  3. provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components; and
  4. comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.

A cyber device is defined as one that “(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

Not later than 180 days after enactment of this Act, the FDA must issue premarket guidance for FDA staff and the medical device industry, in addition to publishing a report identifying challenges to implementing cybersecurity for current and legacy medical devices within the next year.

The Act provides the FDA with $5 million of funding for the development of policies, procedures, and enforcement efforts.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John W. Kaveney John W. Kaveney

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service…

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service providers, medical billing companies, skilled nursing and rehabilitation facilities, behavioral health centers and pharmacies.

His practice in the healthcare field encompasses advising healthcare clients on corporate compliance matters, including the implementation of new, and the assessment of existing, corporate compliance programs. He also assists healthcare clients with compliance audits and investigations, as well as guiding clients through the self-disclosure and repayment processes. Finally, he provides general legal advice concerning compliance and regulatory matters under state and federal healthcare laws.

In the area of information privacy and data security, Mr. Kaveney advises healthcare clients on issues arising under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). This includes the implementation and assessment of privacy and security policies and procedures to ensure the proper protection and utilization of protected health information both by healthcare providers and the business associates with which they contract. In addition, he represents healthcare clients in investigating, reporting, and remediating information breaches and the liability such breaches create under various information privacy and security laws.

Additionally, Mr. Kaveney provides counsel on Medicaid and Medicare reimbursement matters before the Division of Medical Assistance and Health Services and the Provider Reimbursement Review Board, as well as assisting clients in civil litigation and with professional licensing and medical staffing concerns.

Contact information:

jkaveney@greenbaumlaw.com | 973.577.1796 | vCard | LinkedIn

For more information visit the Greenbaum, Rowe, Smith & Davis LLP website.