The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medical Device Cybersecurity Provisions Included in Omnibus Appropriations Bill

Posted By on Dec 22, 2022

The text of a $1.7 trillion omnibus appropriations bill has been released by the House and Senate Appropriations Committees which, if passed, will ensure that the government remains funded until September 30, 2023. The Senate has already started debating the bill and the House is due to consider the bill this week. The bill must be signed by the president on Friday this week, when government funding is set to expire.

The 4,155-page bill includes many healthcare provisions that will help hospitals and health systems provide better care for patients. These include the prevention of the 4% Medicare PAYGO cuts to providers, financial support for rural hospitals to ensure they can continue to operate, measures to help states prepare for Medicaid eligibility changes when the COVID-19 Public Health Emergency comes to an end, and extensions and expansions of telehealth flexibilities until December 31, 2024. This will help to ensure that telehealth and hospital-at-home programs can continue to provide convenient and accessible medical treatment for patients. The bill will also provide funding for essential behavioral health programs and several provisions that will help to increase the healthcare workforce.

The bill proposes $120.7 billion in funding for the Department of Health and Human Services, increasing HHS funds by a further $9.9 billion from last year. Funding for the Centers for Medicare and Medicaid Services will increase by $100 million, the National Institutes of Health will receive an additional $2.5 billion to focus on research on a range of diseases and medical conditions, the Centers for Disease Control and Prevention will receive a further $760 million, primarily to fund fundamental public health activities and emergency preparedness, and the Substance Abuse and Mental Health Services Administration will receive an additional $970 million for mental health programs and for expanding access to its services.

In September, the Food and Drug Administration (FDA) appropriations bill was passed to ensure the FDA continued to be funded, but in order for the bill to be passed, the FDA was forced to drop its proposed medical device cybersecurity requirements, many of which were taken from The Protecting and Transforming Cyber Health Care (PATCH) Act. Those requirements were blocked by the Senate Republican leadership.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

There is good news in this regard, as the omnibus appropriations bill includes new requirements for medical device manufacturers to ensure that their devices meet certain minimum standards for cybersecurity. Those requirements will take effect 90 days after the bill is enacted. These include submitting a plan to the Secretary of the FDA to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures, and they must ensure their devices and associated systems are secure and must release postmarket software and firmware updates and patches. Medical device manufacturers will also be required to provide a Software Bill of Materials (SBOM) to the Secretary of the FDA that includes all off-the-shelf, open source, and critical components used by the devices.

The bill calls for the FDA to provide additional resources and information on improving the cybersecurity of medical devices within 180 days, and annually thereafter, including information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers. Within one year, the Government Accountability Office is required to issue a report that identifies the challenges faced by healthcare providers, health systems, patients, and device manufacturers in addressing vulnerabilities, and how federal agencies can strengthen coordination to improve the cybersecurity of devices.

HIPAA called for the creation of a unique patient identifier (UPI), but funding has not been provided to date. The appropriations bill continues to prohibit funding for a national patient identifier, even though a UPI would help to ensure that patients can be accurately linked with the correct medical records.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist