FDA Authorization Bill Drops Medical Device Cybersecurity

Congress Backs Away From Requiring Manufacturers to Patch Medical Devices
FDA Authorization Bill Drops Medical Device Cybersecurity

A congressional deal to keep the U.S. Food and Drug Administration funded past this month strips medical device cybersecurity provisions earlier approved by the House of Representatives with bipartisan support.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

The FDA's five-year authorization to collect fees from the healthcare sector for independent review of new drugs and medical devices expires Sept. 30. Without the user fee program, the agency estimates it could continue review activities for about five weeks before running out of money.

With only days left before fee collection authorization expires, House and Senate leaders yielded to demands from Senate Republicans that the authorization bill not include new policy requirements.

Sen. Richard Burr, senior Republican on the Senate Committee on Health, Education, Labor, and Pensions, with the backing of Senate Minority Leader Mitch McConnell, pushed for "clean" reauthorization legislation after decrying "harmful additions" to the FDA bill. Congress is expected to approve the slimmed-down five-year user fee reauthorization as part of a temporary spending bill that keeps the rest of the federal government funded through Dec. 16.

The FDA reauthorization and government spending bills are seen as "must pass" bills, which makes them vehicles for legislation that is otherwise difficult to pass in the politically polarized national capital.

Burr and Sen. Patty Murray, the Washington Democrat who chairs the Senate HELP Committee, issued a joint statement promising to find consensus on FDA reform by the end of this year.

House Energy and Commerce Committee Chairman Frank Pallone in a statement Monday likewise vowed to press for putting new FDA policy provision into law. "All four corners committed to returning to the negotiating table ahead of the December government funding deadline," the New Jersey Democrat said.

An FDA spokesperson in an email to Information Security Media Group said the agency is "pleased" that the user fee reauthorization is moving through the legislative process. "We are disappointed that key public health policies were not included and look forward to working with Congress on those policies this fall." the spokesperson added.*

The House approved the Food and Drug Amendments of 2022 by a vote of 392-28 in early June. That version of the FDA user fee reauthorization bill required medical device manufacturers to monitor and address postmarket cybersecurity vulnerabilities. It also told manufacturers to ensure that medical devices can receive patches and to label devices with a software bill of materials.

The language came from a bill dubbed the PATCH Act, sponsored by Reps. Michael Burgess, a Texas Republican, and Angie Craig, a Minnesota Democrat.

*Updated Sept. 28, 2022 17:19 UTC: Adds comment from the Food and Drug Administration.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.