Review - S 4336 Introduced – Medical Device Cybersecurity

Last month, Sen Rosen (D,NV) introduced S 4336, the Strengthening Cybersecurity for Medical Devices Act. The bill would require the Department of Health and Human Services (HHS), in cooperation with CISA, to update their cybersecurity guidance for the management of cybersecurity for medical devices. The bill includes an obligatory report by the Government Accounting Office. No funding is authorized by this bill.

Moving Forward

Rosen is a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration. This means that there should be sufficient influence available to see this bill considered in Committee. I do not see anything in this bill that would engender any specific opposition. I suspect that the bill would receive significant bipartisan support within the Committee.

As with most bills introduced in the Senate, this bill is not important enough to be considered under regular order. This bill could be a candidate for consideration for consideration under the unanimous consent process, but it is more likely to be added to a spending bill or an authorization bill.

Commentary

As I mentioned in my post about the FDA Draft Guidance on Quality System Considerations and Content of Premarket Submissions, the current cybersecurity concerns around medical devices are narrowly focused on cybersecurity. While that is a genuinely important focus to take, given the health and safety concerns about medial devices, I think that there should be a broader focus on the topic of Consequence-driven Cyber-informed Engineering (CCE).  Since that cyber-safety focused program was developed by the Idaho National Laboratory(INL), I think that it might be appropriate for legislation like this to direct HHS to commission a study by INL to look at how CCE might be applied to the development of medical devices. To that end I would include a new §5:

“Sec. 5. Consequence-driven Cyber-informed Engineering. 

“The Secretary will commission a study by the Idaho National Laboratory to examine how the use of Consequence-driven Cyber-informed Engineering concepts might be applied to the development of medical devices. The study shall include examining—

“(1) What types of safety measures might be used to compensate for system failures, including cyber attacks?

“(2) What costs would be associated with adding those safety measures?”

 

For more details about the provisions of this legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4336-introduced - subscription required.