FDA proposes new cybersecurity, supply chain and inspection laws for medical device manufacturers

Ventilators were in high demand during the first peaks of the COVID-19 pandemic. (Image from Raumedic)

The FDA today offered a slate of proposed laws for Congress to consider along with the agency’s $8.4 billion budget request for fiscal year 2023.

The legislative wish list includes several proposals that would affect medical device developers, manufacturers and distributors, including cybersecurity requirements for medical devices, mandatory supply chain reporting, remote inspections for FDA-regulated facilities and the destruction of dangerous imports.

Medical device cybersecurity

One proposal would require medical device manufacturers to design cybersecurity into their devices, such as the ability to update and patch software in a timely manner. Manufacturers would also need to provide cybersecurity assurance in premarket submissions, include a Software bill of Materials that tells patients and doctors which components may be subject to cyber threats, and publicly disclose vulnerabilities when they surface and warn how users can protect themselves.

“These authorities are critical, as FDA has already seen and responded to several ransomware and other malware incidents within the healthcare sector,” the agency said in its proposal. “Stronger cybersecurity protections are necessary to ensure we remain prepared to protect patients and our healthcare workers on the front lines. Enacting FDA’s proposal would reduce the likelihood of harm to patients, interrupted access to devices, and loss of market share or market withdrawal for devices for which a vulnerability is identified as a result of cybersecurity incidents.”

Remote FDA inspections

Another proposal would allow the FDA to require manufacturers to cooperate with remote interactive inspections, which are currently voluntary for non-drug establishments.

“Reliance on voluntary requests is not sufficient to achieve effective and efficient oversight, as firms can refuse to provide records or other information in advance of or in lieu of an inspection or to participate in remote regulatory assessments,” the FDA said.

The proposal would give the FDA explicit authority to conduct remote regulatory assessments, which could include teleconferences, screensharing and livestreaming video of operations.

Supply chain reporting

The FDA wants expanded authority to detect and address supply chain shortages well before they become problems, citing the COVID-19 pandemic’s persistent strain on testing supplies and personal protective equipment. Seeking additional power outside of pandemics and other public health emergencies — for example, when product recalls and natural disasters cause shortages that put patients at risk — the FDA called for new ways to “assure a more resilient domestic supply chain and help reduce dependence on foreign production.”

Most significantly, the agency proposes that medical device manufacturers should notify the FDA “any time there is the potential for a shortage and provide production volume information.”

Manufacturers would also be required to assess supply chain risk, implement risk management plans and identify backup suppliers and manufacturing locations.

Additionally, the FDA wants permission to allow “temporary importation of unapproved devices, with appropriate scientific and regulatory controls, when in the interest of the public health” and allow devices to be “distributed past their labeled shelf life, with appropriate, supportive scientific data, when needed to prevent or mitigate a shortage.”

In a separate proposal aimed at shortages of critical drugs due to “unnecessarily short expiration dates,” the FDA wants drugmakers to study the maximum shelf life of drugs that are life-supporting, life-sustaining or that prevent or treat debilitating diseases and conditions. The law would include a financial penalty for noncompliance.

Imported product destruction

The FDA also wants legal authority to order the destruction of FDA-regulated imports that present significant public health risks and have been refused entry into the country.

The idea is to prevent product owners and consignees from attempting to move products that post health risks, and to prevent them from re-importing products that have been sent back. The importer of record would pay for the product destruction up front so the FDA and Customs and Border Protection don’t have to file legal action to recover those costs.

An executive summary of the FDA’s legislative proposals can be downloaded as a PDF here.