What the Omnibus Bill Means for Medical Devices and What to Know

An increasing number of cyberattacks are targeting medical devices, which hold a wealth of data. In fact, the healthcare industry is a leading target for cyber criminals—cyberattacks increased 94% from 2020–2021. Yet, life sciences companies aren’t doing enough to curtail the threat.

For instance, in some cases, medical device manufacturers ship products with known security flaws, which are later implanted in patients. Hackers can target these devices, putting the patients’ protected health information (PHI) at risk.

The U.S. government recently introduced legislation to protect patients: the 2022 Protecting and Transforming Cyber Healthcare (PATCH) Act, included in the FDA appropriations bill, and the 2023 Omnibus Spending Bill. The FDA appropriations bill was passed in September 2022, but contains a notable lack of cybersecurity provisions provided by the PATCH Act. On the other hand, the omnibus bill is part of the annual process for the general budget. It includes support for implementing stricter cybersecurity requirements, initially introduced by the PATCH Act, that were left out of the FDA appropriations bill.

The goal is to assure users of the devices’ security, but on its own, this isn’t enough. The omnibus bill only adds cybersecurity requirements for manufacturers, not for the organizations that use the devices. Therefore, healthcare delivery organizations (HDOs) should go beyond simply depending on legislation and use the latest cybersecurity software to ensure their medical devices are secure.

The Omnibus Spending Bill and Medical Devices

The 2023 Omnibus Spending Bill, which allocates funds for the U.S. government to operate, includes a provision that aims to defend medical devices against attacks. Since the Internet of Medical Things (IoMT) devices can contain PHI, their defense constitutes an important part of healthcare cybersecurity.

The Omnibus Spending Bill extends the earlier PATCH Act, which proposed some healthcare cybersecurity provisions but were not included in the passage of the amended FDA appropriations bill. Now, the omnibus bill lets the Food and Drug Administration (FDA) enforce mandatory Internet of Things (IoT) cybersecurity rules in healthcare.

The FDA has been working on procedures related to medical devices’ cybersecurity for nearly a decade. In this time, attacks against such devices and healthcare networks have multiplied in size and severity.

According to the Federal Bureau of Investigation (FBI), as of January 2022, 53% of IoT medical devices have “known critical vulnerabilities.” Furthermore, one report found approximately 6.2 vulnerabilities per medical device. In some cases, the equipment has been taken out of service, directly impacting patient care.

Why Is the Omnibus Bill Important for Healthcare Cybersecurity?  

An organization may have thousands of vulnerable devices online. The omnibus bill adds important protections concerning medical devices, contributing to the wider goals of healthcare cybersecurity. As a result, medical device manufacturers now have stricter requirements to secure their products.

Before the omnibus bill, the FDA had provided only voluntary standards for medical devices. Manufacturers and HDOs could use or not use these guidelines as they pleased, which often resulted in unsecured devices. The omnibus bill changes the guidelines into a legal requirement. This means cybersecurity precautions will become necessary for medical devices to gain FDA approval.

The omnibus bill calls on medical device manufacturers to release firmware updates as necessary and to take essential precautions to keep their products safe. It’s not a one-and-done deal, but rather a bill that requires annual FDA adjustments in response to the unfolding healthcare cybersecurity situation.

How Will the Omnibus Bill Affect Medical Devices? 

The Omnibus Spending Bill covers a wide range of topics, but it has certain provisions specifically for medical devices. It establishes cybersecurity standards to which medical devices must adhere throughout the entire life cycle.

Under the new rules, when a manufacturer applies for premarket approval of a device with the FDA, the manufacturer must meet several security requirements. They’re also required to adhere to processes designed to keep devices secure throughout the life cycle. This includes updating the software with the latest fixes and monitoring for vulnerabilities.

In addition, each medical device manufacturer will have to provide the FDA with a software bill of materials (SBOM). This lists the open source and proprietary components that go into the device—an essential security step, as third-party technologies can contain additional vulnerabilities.

The manufacturers will track any post-market vulnerabilities as well. To confirm the functionality and security of a device, the manufacturer must have coordinated vulnerability disclosure and work to fix exploits.

Omnibus Bill: Not an End-All-Be-All Solution 

While the Omnibus Spending Bill and the PATCH Act are steps in the right direction, neither should be seen as a complete solution to healthcare security. Attackers continue to develop new threats regardless of regulations, so healthcare organizations must act now to keep their systems secure.

The PATCH Act, introduced in the FDA appropriations bill, ended up being excluded as the bill passed in September 2022. The 2023 Omnibus Spending Bill included stricter conditions to improve the situation. These latest regulations bring medical devices under more scrutiny than before but with important limitations.

For instance, the SBOMs that are central to the new bill are hard to contextualize. A naive approach will misidentify vulnerabilities that don’t need to be fixed due to how the devices are used. Asimily helps prevent this problem by correctly identifying which vulnerabilities are relevant to healthcare cybersecurity in practice.

Security is the responsibility of healthcare delivery organizations as well as medical device manufacturers. But again, the new requirements only apply to manufacturers—and only to new devices at that. As such, it’s smart to see this legislation as one part of a more comprehensive approach, not as the whole story.

To protect the devices already in use, and to supplement the tighter restrictions on manufacturers, healthcare organizations should solidify their own defenses. This includes analysis of medical devices for vulnerabilities as done by Asimily Insight.

Protect Your Medical Devices with Asimily 

The Omnibus Spending Bill and the PATCH Act aim to enhance healthcare cybersecurity, but they’re just the start. The new requirements on medical device manufacturers point the way toward broader security measures. Manufacturers, healthcare organizations, and cybersecurity experts must work hand-in-hand for complete protection.

Asimily is the leading healthcare cybersecurity company, with innovative software that tracks and defends medical devices. It expands on the basic protections in the new legislation to offer fine-tuned countermeasures against the ever-evolving landscape of threats.

Schedule a demo now to see how Asimily improves your operational efficiency and cuts device downtime.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.