The PATCH Act seeks to strengthen the security of medical devices and IoT networks

The new Cyber ​​Health Care Protection and Transformation Act would implement a series of new requirements for the security of medical devices and networks.

The bipartisan bill was introduced in the Senate this week by Sens. Tammy Baldwin, D-Wisconsin, and Dr. Bill Cassidy, R-Louisiana. There is already companion legislation in the House of Representatives sponsored by Representatives Dr. Michael C. Burgess, R-Texas, and Angie Craig, D-Minnesota.

The goal is to “help ensure that the US healthcare cyber infrastructure remains safe and secure,” even as ransomware and other cyberattacks have increased in scope and severity in recent years.

The PATCH Act:

  • Impose a series of cybersecurity requirements for manufacturers applying for premarket approval through the Food and Drug Administration
  • Enable manufacturers to design, develop, and maintain processes and procedures for updating and patching the device and related systems throughout device lifecycles.
  • Establish a software BOM for devices to be provided to users
  • Require the development of plans to monitor, identify, and address post-market cybersecurity vulnerabilities.
  • Request a Coordinated Vulnerability Disclosure to demonstrate the security and effectiveness of a device

“In recent years, we have seen a significant increase in cyberattacks that have exposed vulnerabilities in our health care infrastructure,” Baldwin said in a statement. “We must take these lessons learned to better protect patients.”

He added: “The bipartisan PATCH Act [ensures] that innovative medical technologies are better protected from cyber threats and keep personal health information secure while finding new ways to improve care.”

As discussed in depth last month at HIMSS22, hospital security efforts “are no longer just about privacy and confidentiality. Cybersecurity is patient safety.”

In few areas is this more true than with networked medical devices and the Internet of Things.

With ransomware attacks now commonplace, risks from Russia and other state-sponsored threats on the rise, and remote patient monitoring recently in the crosshairs of cyber attackers, it’s more critical than ever to keep patients safe by ensuring devices are built and deployed with strong security built in.

However, beyond federal policy, hospitals and health systems themselves have an important role to play in device security.

“New medical technologies have incredible potential to improve health and quality of life,” Cassidy said of the Senate bill. “If Americans cannot trust that their personal information is protected, this potential will never be realized.”

“Throughout the pandemic, there has been an increase in ransomware attacks within medical devices and larger networks,” Burgess added, of the House companion bill. “This legislation will implement cybersecurity protocols and procedures for manufacturers seeking premarket approval through the Food and Drug Administration to ensure users are properly equipped to deal with foreign or domestic ransomware attacks. It’s time to examine how to modernize and protect our health care infrastructure.”

Twitter: @MikeMiliardHITN
Email the writer:

Healthcare IT News is published by HIMSS.

Leave a Comment