AHA Expresses Member Support for PATCH Act, Medical Device Security

June 29, 2022 - On behalf of its nearly 5,000 member healthcare organizations, the American Hospital Association (AHA) expressed its support for the Protecting and Transforming Cyber Health Care (PATCH) Act, which was introduced by Senators in April to enhance medical device security.

In a letter addressed to Senators Bill Cassidy (R-LA) and Tammy Baldwin (D-WI), who first introduced the PATCH Act, the AHA said that the association and its members were committed to preventing cyberattacks and would support the PATCH Act’s intentions of doing the same via medical device security improvements.

“We are pleased to support this legislation to improve the security of medical devices, which can create cyber vulnerabilities and serious risks to the security and privacy of patient data along with vital medical technology used in care delivery,” the letter stated.

“Cyber vulnerabilities in medical devices, often containing outdated legacy technology, have posed a significant cyber risk to hospitals.”

The AHA pointed to the 2017 WannaCry ransomware attack and “scores of foreign-based ransomware attacks” targeting the US healthcare sector since then that have threatened patient safety and medical device operability.

If passed, the PATCH Act would enable the implementation of critical cybersecurity requirements for medical device manufacturers applying for premarket approval through the Food and Drug Administration (FDA). The act would also require manufacturers to design, develop, and maintain updates and patches throughout the lifecycle of their devices.

Manufacturers would also be required to create a plan for addressing postmarket cybersecurity vulnerabilities in a timely manner. In addition, manufacturers would be tasked with creating a software bill of materials (SBOM) for their product and its components.

“Manufacturers should be accountable for developing products with appropriate security controls, as well as updating devices as cyber threats continue to evolve. We also encourage the inclusion of a provision to clarify that FDA approval of devices would not be jeopardized as manufacturers provide these updates,” the letter continued.

“Great strides have been made by hospitals and health systems to defend provider networks, secure patient data, preserve health care delivery and, most importantly, protect patient safety.”

The industry’s reliance on legacy devices and systems, challenges with keeping track of all medical devices on a hospital’s network, and the increasing severity of cyber threats have posed significant medical device security challenges.

As the bill makes its way through the legislative process, healthcare organizations should be proactive in taking steps to secure medical devices, create an inventory, and apply patches and updates as necessary.