Next Steps on the PATCH Act Is of Significance for Both Medical Device Manufacturers and Healthcare Providers

By Troy Ament | October 21, 2022

Earlier this year, after nearly a decade of hard work, discussion, and advocacy by multiple healthcare special interest groups, security industry experts, payers, and other stakeholders, bipartisan legislation was introduced to ensure cybersecurity receives the necessary attention of medical device manufacturers and healthcare providers. 

The “Protecting and Transforming Cyber Healthcare Act”, also known as the “PATCH Act” would “amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.”

Concurrently, the federal government is also considering updates to the FDA’s cybersecurity guidance for medical devices. With the growing use of IoMT (Internet of Medical Things) devices, which can be vulnerable to cyberattacks, this regulatory review is major and a welcomed development for the health industry, medical device manufacturers, healthcare staff, and, most importantly, patients.

Why is the PATCH Act Important?

At the heart of the PATCH Act is the desire to treat medical devices with the same security, care, and diligence that the healthcare industry treats patient safety and data. In short, the lawmakers are responding to the obvious need to ensure the cybersecurity of medical devices.

As more and more IoMTs become part of healthcare networks, the more exposed these networks are going to be to infiltration and to threats like ransomware attacks. For years, the excitement and benefits of deploying and using these life-saving devices for telehealth and telemedicine—servicing and caring for patients at home or in remote locations—overshadowed their weaknesses and lack of solid cybersecurity.

IoMTs are connected directly to the internet or healthcare organizations networks, yet they typically lack strong authentication and often rely on vulnerable software. Clearly, it is extremely important to improve on medical device defensive postures.

The Impact on the MDM Industry and Healthcare Organizations

Although the PATCH Act is focused on medical device security—by providing comprehensive cybersecurity governance to medical device manufacturers (MDMs)—I believe healthcare organizations also need to be very aware and cognizant of the legislation. The reason why comes down to the issue of how manufacturers fund these proposed requirements

Both MDMs and healthcare systems must deal with legacy IoMTs that are insecure or need to be better secured. In the past three or four years, the FDA has released voluntary guidance on medical devices, but it is not law nor a requirement. Compliance is always spotty when not mandated.

Up to now, cybersecurity has not been a part of the FDA’s medical device approval process—but that could change. If passed, the PATCH Act would change the voluntary FDA guidance into a baseline requirement. Therefore, cybersecurity will need to be embedded in medical devices if they are to be approved by the agency.

The Big Question and the Bigger Question

For this legislation to really be effective, healthcare organizations need to consider funding and what to do with existing devices. They also need to consider how to handle the transition when the law is enacted. They will probably need to establish some kind of accountability to demonstrate compliance to the government.

A big question government authorities might be asking is: “Are we going to require health systems to replace their medical devices sooner rather than later?” Of course, in an ideal world, the sooner the better because the healthcare industry will become more secure quicker. If the answer is “sooner” then the bigger question becomes: “How are all the replacements going to get paid for?”

In the U.S., about half of patient care is via Medicare and Medicaid. That's government reimbursement for health systems. So, if these new government regulations come through without funding—healthcare providers label these type of rules as “unfunded mandates”—there's just no way they could absorb the costs and burden alone. Of course, medical device manufacturers and healthcare systems are pushing hard to get funding considered as part of the PATCH Act, but at this point is not part of the proposed legislation.

Security Should Never be an Afterthought

Medical device manufacturers should be fortifying their new devices following the latest voluntary FDA regulations. Currently, cyber adversaries are getting more and more successful at finding gaps or vulnerabilities in a healthcare provider’s network environment to gain access. And unfortunately, when attackers can move laterally through a network, it can have a critical impact on IoMTs and other devices, which can directly affect patient care.

Note, healthcare isn’t the only industry being transformed by digital acceleration in this way. Critical infrastructure like power grids, pipelines, water and wastewater, and other industrial sectors are feeling a similar pressure to protect their IoTs (Internet of Things) end points. Cybercriminals are attacking OT (operational technology) tools as they come online and converge with IT, much like how attackers are using IoMTs to access healthcare systems’ networks.

Advances in cybersecurity infrastructure will continue to benefit patient care if healthcare leaders, manufacturers, and government leaders remember that security should never be an afterthought.

Keep up with the latest advances in patient care while protecting against cyberattacks with Fortinet’s healthcare cybersecurity solutions.