FDA Authorization Bill Drops Medical Device CybersecurityCongress Backs Away From Requiring Manufacturers to Patch Medical Devices
A congressional deal to keep the U.S. Food and Drug Administration funded past this month strips medical device cybersecurity provisions earlier approved by the House of Representatives with bipartisan support.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The FDA's five-year authorization to collect fees from the healthcare sector for independent review of new drugs and medical devices expires Sept. 30. Without the user fee program, the agency estimates it could continue review activities for about five weeks before running out of money.
With only days left before fee collection authorization expires, House and Senate leaders yielded to demands from Senate Republicans that the authorization bill not include new policy requirements.
Sen. Richard Burr, senior Republican on the Senate Committee on Health, Education, Labor, and Pensions, with the backing of Senate Minority Leader Mitch McConnell, pushed for "clean" reauthorization legislation after decrying "harmful additions" to the FDA bill. Congress is expected to approve the slimmed-down five-year user fee reauthorization as part of a temporary spending bill that keeps the rest of the federal government funded through Dec. 16.
The FDA reauthorization and government spending bills are seen as "must pass" bills, which makes them vehicles for legislation that is otherwise difficult to pass in the politically polarized national capital.
Burr and Sen. Patty Murray, the Washington Democrat who chairs the Senate HELP Committee, issued a joint statement promising to find consensus on FDA reform by the end of this year.
House Energy and Commerce Committee Chairman Frank Pallone in a statement Monday likewise vowed to press for putting new FDA policy provision into law. "All four corners committed to returning to the negotiating table ahead of the December government funding deadline," the New Jersey Democrat said.
An FDA spokesperson in an email to Information Security Media Group said the agency is "pleased" that the user fee reauthorization is moving through the legislative process. "We are disappointed that key public health policies were not included and look forward to working with Congress on those policies this fall." the spokesperson added.*
The House approved the Food and Drug Amendments of 2022 by a vote of 392-28 in early June. That version of the FDA user fee reauthorization bill required medical device manufacturers to monitor and address postmarket cybersecurity vulnerabilities. It also told manufacturers to ensure that medical devices can receive patches and to label devices with a software bill of materials.
The language came from a bill dubbed the PATCH Act, sponsored by Reps. Michael Burgess, a Texas Republican, and Angie Craig, a Minnesota Democrat.
*Updated Sept. 28, 2022 17:19 UTC: Adds comment from the Food and Drug Administration.