Yesterday I
mentioned that Rep. Blackburn (R,TN) introduced HR
3303, the Sensible Oversight for Technology which Advances Regulatory
Efficiency Act of 2013 (with the snappy short title – SOFTWARE Act of 2013).
I had hoped that this bill would be addressing (at least in part) cybersecurity
issues for medical software regulated by the FDA. Boy was I wrong.
The Provisions
It starts off by defining ‘medical software’ in 21
USC §321 as software that would be intended or marketed to either “directly
change the structure or any function of the body of man or other animals” {§321(ss)(1)(A)}
or used “by consumers and makes recommendations for clinical action” {§321(ss)(1)(B)}.
The definition specifically excludes software that is “integral to the
functioning of a drug or device” {§321(ss)(2)} or component of a device. So the
software controlling communications with Vice-President Cheney’s pacemaker
would be excluded from the definition of ‘medical software’.
Section 2(b) of the bill would add a new section to 21 USC
Subchapter V (§524B) that would make the provisions of 21
USC Subchapter V Part A apply to medical software and treat them like
devices.
Section 3 of the bill would add another definition to 21
USC §321; ‘clinical software’ is software used in a clinical setting that “captures,
analyzes, changes, or presents patient or population clinical data or
information and may recommend courses of clinical action, but does not directly
change the structure or any function of the body of man or other animals” {§321(tt)(1)(A)}.
It specifically includes in this definition “associated hardware and process
dependencies” {§321(tt)(1)}.
Another term is also included in this paragraph (though it
is odd that it does not get a paragraph of its own); ‘health software’ which is
not medical software or clinical software. It includes software (and again
including hardware and associated processes) that:
• Captures, analyzes, changes, or
presents patient or population clinical data or information {§321(tt)(2)(A)};
• Supports administrative or operational
aspects of health care and is not used in the direct delivery of patient care {§321(tt)(2)(B)};
or
• Has the primary purpose is to act
as a platform for a secondary software, to run or act as a mechanism for
connectivity, or to store data {§321(tt)(2)(B)}.
Section 3 goes on to add another section to 21
USC Subchapter V Part A {§524(C)} that specifically excludes clinical
software or health software from regulation by the FDA.
What Is Missing
There is nothing in this bill that addresses or even
identifies concerns about cybersecurity for any of these three types of software.
This bill would be a very good place for Congress to specifically provide FDA
the authority to regulate the security of software that might directly affect
the health or life on individuals or the privacy of an individual’s medical
information.
Moving Forward
It is unusual for a bill to actually be published by GPO the
day after it is introduced in the House. Bills that get this expedited service
have typically been identified for early action. Since Ms. Blackburn is
Vice-Chair of the House Energy and Commerce Committee, the sole committee given
jurisdiction over this bill, I would assume that it will get prompt attention
in that Committee and will move promptly to the floor. It will probably get
considered under suspension of the rules.
Posts
No comments:
Post a Comment