HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

The Protecting and Transforming Cyber Health Care (PATCH) Act Introduced to Improve Medical Device Cybersecurity

A bipartisan pair of senators have introduced the Protecting and Transforming Cyber Health Care (PATCH) Act which aims to improve the security of medical devices.

Vulnerabilities are often identified in medical devices that could potentially be exploited by threat actors to change the functionality of the devices, render them inoperable, or to allows the devices to be used as a springboard for more extensive attacks on healthcare networks. Over the course of the pandemic, cyberattacks on healthcare organizations have increased, and medical devices and the networks to which they connect have been affected by ransomware attacks. These attacks have affected hospitals, patients, and the medical device industry.

U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced the PATCH Act to ensure that the U.S. healthcare system’s cyber infrastructure remains safe and secure. The PATCH Act will update the Federal Food, Drug, and Cosmetic Act to require all premarket submissions for medical devices to include details of the cybersecurity protections that have been implemented.

If passed, before a medical device can be approved for use by the Food and Drug Administration (FDA), manufacturers will need to ensure that critical cybersecurity requirements have been implemented. The PATCH Act also calls for manufacturers of medical devices to design, develop, and maintain processes and procedures to update and patch the devices and related systems throughout the lifecycle of the device. A Software Bill of Materials for each device must also be provided to users which will make it easier to identify vulnerabilities that affect the devices, including vulnerabilities in open source components and dependencies.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The Patch Act also requires medical device manufacturers to develop a plan for monitoring, identifying, and addressing post-market cybersecurity vulnerabilities, and a Coordinated Vulnerability Disclosure will be required to demonstrate the safety and effectiveness of a device.

“New medical technologies have incredible potential to improve health and quality of life,” said Dr. Cassidy. “If Americans cannot rely on their personal information being protected, this potential will never be met.”

“In recent years, we’ve seen a significant increase in cyber-attacks that have exposed vulnerabilities in our health care infrastructure, impacting patients across Wisconsin and the country. We must take these lessons learned to better protect patients,” said Senator Baldwin. “I am excited to introduce the bipartisan PATCH Act to ensure that innovative medical technologies are better protected from cyber threats and keep personal health information safe while also finding new ways to improve care.”

A companion bill was introduced by reps. Michael C. Burgess (R-TX) and Angie Craig (D-MN) in the House of Representatives.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.