The passage of the Protecting and Transforming Cyber Health Care (PATCH) Act, will mark a significant step forward in regulating medical device cybersecurity. The bipartisan bill addresses the increased risks from evolving medical technology, including the rise of ransomware attacks on hospitals that have increased significantly in recent years. Some of the bill’s much-needed provisions include:
- Implementing critical cybersecurity requirements for manufacturers applying for premarket approval through the FDA.
- Allowing for the manufacturer to design, develop, and maintain processes and procedures to update and patch the device and related systems throughout the lifecycle of the device.
- Establishing a Software Bill of Materials for the device that will be provided to users.
- Requiring the development of a plan to monitor, identify, and address post-market cybersecurity vulnerabilities.
- Requesting a Coordinated Vulnerability Disclosure to demonstrate the safety and effectiveness of a device.
As more devices become integrated into everyday medical use, additional opportunities arise for hackers to launch ransomware attacks that can hold hospitals hostage and barter patients’ well-being. The current lack of cybersecurity regulation on medical technologies has further prevented the development of new devices, with the potential cost outweighing any gain. The bill’s new provisions and significant revisions to FDA regulations mean that the medical industry would need to address cybersecurity pre-emptively, with risk assessments and monitoring plans being necessary precursors to new technological developments.
“Attacks on healthcare are increasing in volume, variety, and impact – with consequences that now include the loss of life,” I Am The Cavalry’s Josh Corman testified to the Senate Health, Education, Labor & Pensions Committee. “While directionally-correct steps have been taken, we’re getting worse faster than we’re getting better.”
The PATCH Act is a necessary culmination of over nine years of work by dozens of industry leaders. I Am The Cavalry helped provide step-by-step support for the PATCH Act, including in the form of expert testimony, keeping the safety and privacy of users’ data at the forefront.
I Am The Cavalry believes that the development of life-saving technologies must be coupled with standardized, common-sense safety practices, bringing top technology experts and policymakers together to lay out new guidelines for industries slowly integrating into the Internet of Things (IoT).
When discussing the PATCH Act from last Congress, Suzanne Schwartz, Director of the Office of Strategic Partnerships & Technology Innovation at the Center for Devices & Radiological Health of the FDA, said it would “give [the FDA] teeth” and that “this really, for the first time, would establish very explicitly, authority in the area of cybersecurity and tie that directly to the safety of medical devices.” Schwartz went on to say “We want the devices of tomorrow to not have the same legacy issues that we’re dealing with today.”
The PATCH Act marks a significant milestone for making cybersecurity concerns a part of the product evaluation process for any new medical technology. Protecting the integrity of U.S. hospitals is paramount to the safety of all patients.