Senators Introduce PATCH Act to Ensure Medical Device Security

April 04, 2022 - US Senators Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) introduced the Protecting and Transforming Cyber Health Care (PATCH) Act with the intention of ensuring medical device security at the premarket stage. Representatives Michael C. Burgess (R-TX) and Angie Craig (D-MN) introduced companion legislation in the House of Representatives.

Researchers have discovered numerous medical device security vulnerabilities in recent years that point to a need for industry standards and regulations to ensure security across the supply chain. Many medical devices operate on legacy systems, making them difficult to patch and easy for hackers to manipulate.

The PATCH Act would “amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes,” the bill stated.

The PATCH Act would enable the implementation of critical cybersecurity requirements for medical device manufacturers applying for premarket approval through the Food and Drug Administration (FDA). The act would also require manufacturers to design, develop, and maintain updates and patches throughout the lifecycle of their devices.

“In recent years, we’ve seen a significant increase in cyber-attacks that have exposed vulnerabilities in our health care infrastructure, impacting patients across Wisconsin and the country. We must take these lessons learned to better protect patients,” Baldwin said in a press release. 

“I am excited to introduce the bipartisan PATCH Act to ensure that innovative medical technologies are better protected from cyber threats and keep personal health information safe while also finding new ways to improve care.”

Manufacturers would also have to create a thorough plan for addressing postmarket cybersecurity vulnerabilities in a timely manner. In addition, manufacturers would be required to create a software bill of materials (SBOM) for their product and its components.

SBOMs are beneficial because they make it easier to monitor vulnerabilities, manage license compliance, and allow developers to understand dependencies across components in an application

In 2018, the FDA released SBOM market guidance, which put pressure on manufacturers to implement SBOMs. Although the healthcare sector is spearheading SBOM adoption, a lack of transparency and communication appears to be stalling progress.

The Healthcare & Public Health Sector Coordinating Councils (HSCC) published model contract language to help healthcare organizations ensure medical device security when crafting contracts with device manufacturers.

The need for a contract template stemmed from ongoing complications between healthcare organizations and medical device manufacturers regarding responsibility, accountability, and varying cybersecurity expectations.

“The more uniformity and predictability the sector can achieve in cross enterprise cybersecurity management expectations, the greater strides it will make toward patient safety and a more secure and resilient healthcare system,” HSCC stated in a press release.

If passed, the PATCH Act would expand on medical device manufacturing regulations and could help mitigate medical device security risks. In other news, Senators Cassidy and Jacky Rosen (D-NV) also recently introduced the Healthcare Cybersecurity Act, which aims to strengthen healthcare cybersecurity by partnering HHS with the Cybersecurity and Infrastructure Security Agency (CISA).