September 30, 2022

Last Updated on January 14, 2024

US Senators Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) recently introduced the Protecting and Transforming Cyber Healthcare (PATCH) Act, which seeks to improve medical device security at the premarket review stage. The bipartisan bill would create new baseline cybersecurity requirements for device manufacturers, which would need to be met prior to applying for FDA approval. The legislation also calls for plans to monitor and mitigate production vulnerabilities, as well as concrete plans to provide updates and patches.

The PATCH Act has been introduced in the Senate and referred to the Committee on Health, Education, Labor, and Pensions but has yet to come to a vote. Companion legislation has also been introduced in the US House of Representatives.

Purpose of the PATCH Act

If signed into law, the PATCH Act would “amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.”

The need for industry standards and guidelines to improve medical device security is clear given the many vulnerabilities uncovered in recent years, plus growing concerns about exploitation of remote patient monitoring scenarios. As hackers continue to escalate their attacks on healthcare organizations, not only personal healthcare data but also patient safety is at stake.

New PATCH Act requirements

The PATCH Act would create several new cybersecurity requirements for medical devices as well as IoT networks, including:

  • Creating a Software Bill of Materials (SBOM) for devices, to be provided to users
  • Mandating device manufacturers to create processes for updating and patching their devices throughout their lifecycle
  • Obliging vendors to develop comprehensive plans to provide timely fixes to identified security vulnerabilities
  • Requiring a Coordinated Vulnerability Disclosure (CVD) to validate device security

What the PATCH Act means for medical device manufacturers

For medical device designers and manufacturers, the proposed PATCH Act is another strong signal that the healthcare industry and patients increasingly equate device security with patient safety. The legislation also indicates that the US government is becoming both more savvy and more concerned about healthcare cybersecurity shortcomings.

While there are many complexities to securing connected devices and the networks they use to communicate, more legislation is surely coming that IoT vendors will need to align with.

To connect with an IoT security expert about securing devices, proving device security, and/or validating compliance with regulations or customer demands, contact Pivot Point Security.

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!