HR 2396 Introduced – Medical Software

Earlier this month Rep. Blackburn (R,TN) introduced HR 2396, the Sensible Oversight for Technology which Advances Regulatory Efficiency (SOFTWARE) Act, that addresses the regulation of medical software. In many ways it is similar to her HR 3303 of last session, but there are some subtle differences.

Definitions

The bill starts off by adding a new definition to the Federal Food, Drug and Cosmetic Act (at 21 USC 321); that defines ‘health software’. It defines the term in the negative sense, explaining what it is not. In short it defines ‘health software’ as medically related software that would have no direct effect on patient health or safety.

Under the same paragraph it also defines another, somewhat odder term; ‘accessories’. This is not specifically software; it is defined as a product that {new §321ss(2)}:

Is intended for use with one or more parent devices;

Is intended to support, supplement, or augment the performance of one or more parent devices.

Software Regulation

Section 3 of the bill would add a new section to the Drugs and Devices chapter of the Federal Food, Drug, and Cosmetic Act. This section provides authority for the Secretary of Health and Human Services to regulate software. First though, it begins with a negative, prohibiting the Secretary from regulating health software.

But this prohibition does have an exception for health software that “provide patient-specific recommended options to consider in the prevention, diagnosis, treatment, cure, or mitigation of a particular disease or condition” {new §321ss(1)(F)} where the Secretary determines that the software “poses a significant risk to patient safety” {new 21 USC 361o(b)(1)(B)}.

The real difference between this bill and the one from last session lies in paragraph (c) of the new §361o that specifically provides authority for the Secretary to regulate software (other than ‘health software). It also provides authority for the Secretary to regulate software via ‘administrative order’ as long as proposed orders are first published in the Federal Register.

It also requires the Secretary to review existing regulations and guidance regarding the regulation of software and to update those regulations and guidance as necessary. In conducting the review the following areas will be reviewed {new §361o(c)(3)}:

∙ Classification of software;

∙ Standards for development of software;

∙ Standards for validation and verification of software;

∙ Review of software;

∙ Modifications to software;

∙ Manufacturing of software;

∙ Quality systems for software;

∙ Labeling requirements for software; and

∙ Post-marketing requirements for reporting of adverse events.

Moving Forward

Blackburn is a mid-ranking member of the Health Subcommittee of the House Energy and Commerce Committee. That combined with the fact that her co-sponsor {Rep. Green (D,TX)} is the Ranking Member of the Subcommittee there is a pretty good chance that this bill will be considered by the Committee.

There does not appear to be anything in the bill that would cause any serious opposition to the bill if it does make its way to the floor of the House. The only question is if Blackburn and Green can convince to the leadership to move the bill forward.

Commentary

In light of the recent controversy surrounding the security vulnerabilities reported in the Hospira Infuson Pump software I am surprised and disappointed in not seeing security specifically mentioned as one of the areas for review of software regulations. With patient safety also not being specifically identified I am concerned that the FDA may not feel justified in taking actions to regulate the security of medical device software.

There are, of course, a number of places still in the legislative process where an amendment could add language addressing these two issues. Some specific changes (in italics) to §361o(c)(3) that I would like to see would include:

(B) Standards for development of software including secure development practices;

(C) Standards for validation and verification of software including security testing;

(E) Modifications to software including security patching;

(I) Postmarketing requirements for reporting of adverse events and security vulnerabilities, including coordination with ICS-CERT for security vulnerabilities.

It would also be helpful if there were specific language requiring the Secretary to coordinate with NIST and DHS during the required software regulation review process. And finally there should be a specific requirement for users of the software to report any suspected cyberattacks on regulated software to be reported to the FBI and ICS-CERT.