Medical Device Cybersecurity Enhanced with Introduction of the Protecting and Transforming Cyber Health Care (PATCH) Act

U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI), bipartisan senators, have introduced the Protecting and Transforming Cyber Health Care (PATCH) Act which seeks to enhance the security of medical technology.

There are often flaws discovered in medical technological devices that can be targeted by cybercriminals who can alter the functionality of the devices, make them unusable , or to change the use so that it can be leveraged in order to conduct attacks on large healthcare networks. During the COVID19 pandemic there was a massive surge in cyberattacks targeting healthcare groups, and medical devices and the organizational networks to which they link up with have been impacted by ransomware attacks. These attacks have caused damage to hospitals, patients, and the medical device sector.

The PATCH Act was introduced as an attempt to secure the U.S. healthcare system’s cyber infrastructure. The PATCH Act will make changes to the Federal Food, Drug, and Cosmetic Act to obligate  all premarket submissions for medical devices to list details of the cybersecurity protections that have been configured.

If the changes are approved, prior to a medical device gaining final approval for use by the Food and Drug Administration (FDA), producers will need to ensure that critical cybersecurity requirements have been put in place. The PATCH Act also requires manufacturers of medical devices to formulate, develop, and implement processes and procedures to update and patch the devices and connected systems during the lifecycle of the device. A Software Bill of Materials for every device must also be given to users which will make it simpler to identify flaws that impact the devices, including flaws in open source components and dependencies.

The Patch Act also states that medical device manufacturers must create a plan for monitoring, discovering, and addressing post-market cybersecurity flaws, and a Coordinated Vulnerability Disclosure must be available to show the safety and effectiveness of a device.

Dr. Cassidy said: “New medical technologies have incredible potential to improve health and quality of life. If Americans cannot rely on their personal information being protected, this potential will never be met.”

Senator Baldwin said: “In recent years, we’ve seen a significant increase in cyber-attacks that have exposed vulnerabilities in our health care infrastructure, impacting patients across Wisconsin and the country. We must take these lessons learned to better protect patients. I am excited to introduce the bipartisan PATCH Act to ensure that innovative medical technologies are better protected from cyber threats and keep personal health information safe while also finding new ways to improve care.”

Representatives Michael C. Burgess (R-TX) and Angie Craig (D-MN) introduced a companion bill in the House of Representatives.