PATCHing Health Technologies: Medical Device Security is the Target in Congress’ Aim

Marisa Polowitz

Associate Editor

Loyola University Chicago School of Law, JD 2023

Conversations about the privacy and security of health information systems and patient data are ongoing, and frequently front-page news. But what about healthcare’s “internet of things”? More specifically, the web of wearable or implantable medical devices, and the applications that go along with them, which collect and transmit health information? The Food and Drug Administration (FDA) is charged with approving medical devices for patient use in a clinical setting, such as pacemakers. These devices require FDA approval and cannot be altered after receiving that approval. Additionally, an upgrade to an approved device could result in the need for an entirely new FDA approval, making device’s security essentially obsolete soon after its deployment. The inability to upgrade device security poses a unique cybersecurity risk. And this risk is one that Congress seems poised to take on.

The PATCH Act

The Protecting and Transforming Cyber Health Care Act, or the PATCH Act (the Act), is a bipartisan bill recently proposed in the Senate. Aiming to amend the Federal Food, Drug, and Cosmetic Act, the goal of the Act is to “help ensure that the U.S. healthcare system’s infrastructure remains safe and secure.” Congressional traction appears to be widespread, as bipartisan companion legislation was proposed in the House, as well.

The Act sets cybersecurity requirements that satisfy “reasonable assurances” of cybersecurity protections for any “cyber device of information” through the device’s entire lifecycle. Should the Act be enacted, it will require that manufacturers plan for, monitor, identify, and address cybersecurity risks throughout the device’s lifetime, both pre- and post-market. Additionally, manufacturers will be required to disclose vulnerabilities and provide updates and patches to limit cybersecurity risks on a regular cadence. Regarding critical vulnerabilities occurring out of normal update cadence, manufacturers would be required to address and resolve them as soon as possible. This would mean that updates, upgrades, security enhancements and patches on medical devices would no longer make the device non-compliant.

An industry-wide problem

It’s no secret that health care organizations and systems are frequently in the crosshairs of cyber criminals.  Cyberattacks on the industry are so prevalent that the Department of Health and Human Services (HHS) established a Healthcare Cybersecurity Task Force specifically to address the problem. In 2021, more than 40 million patient records were compromised due to reported cyber incidents. Just last month, hackers gained access to 850,000 records containing personally identifiable information (PII) in a single ransomware attack on one health system. Not only is this the biggest attack thus far in 2022, but it is also the eighth largest healthcare cyberattack ever. While risks and vulnerabilities of healthcare information systems and networks have been widely discussed, and are regularly addressed, those specifically pertaining to medical devices are not.