{"id":4626,"date":"2022-04-19T09:15:57","date_gmt":"2022-04-19T14:15:57","guid":{"rendered":"https:\/\/blogs.luc.edu\/compliance\/?p=4626"},"modified":"2022-04-19T09:15:57","modified_gmt":"2022-04-19T14:15:57","slug":"patching-health-technologies-medical-device-security-is-the-target-in-congress-aim","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=4626","title":{"rendered":"PATCHing Health Technologies: Medical Device Security is the Target in Congress\u2019 Aim"},"content":{"rendered":"<p><em>Marisa Polowitz<\/em><\/p>\n<p><em>Associate Editor<\/em><\/p>\n<p><em>Loyola University Chicago School of Law, JD 2023<\/em><\/p>\n<p>Conversations about the privacy and security of health information systems and patient data are ongoing, and frequently front-page news. But what about healthcare\u2019s \u201cinternet of things\u201d? More specifically, the web of wearable or implantable medical devices, and the applications that go along with them, which collect and transmit health information? The Food and Drug Administration (FDA) is charged with <a href=\"https:\/\/www.fda.gov\/medical-devices\">approving medical devices<\/a> for patient use in a clinical setting, such as pacemakers. These devices require FDA approval and cannot be altered after receiving that approval. Additionally, an upgrade to an approved device could result in the need for an entirely new FDA approval, making device\u2019s security essentially obsolete soon after its deployment. The <a href=\"https:\/\/www.healthcareitnews.com\/news\/building-medical-device-security-program-isnt-always-easy-its-worth-it\">inability to upgrade device security<\/a> poses a unique cybersecurity risk. And this risk is one that <a href=\"https:\/\/www.healthcareitnews.com\/news\/patch-act-seeks-shore-security-medical-devices-iot-networks\">Congress seems poised<\/a> to take on.<\/p>\n<p><strong>The PATCH Act<\/strong><\/p>\n<p>The Protecting and Transforming Cyber Health Care Act, or the PATCH Act (the Act), is a <a href=\"https:\/\/www.congress.gov\/bill\/117th-congress\/senate-bill\/3983\/text?r=1&amp;s=1\">bipartisan bill<\/a> recently proposed in the Senate. Aiming to amend the Federal Food, Drug, and Cosmetic Act, the <a href=\"https:\/\/www.healthcareitnews.com\/news\/patch-act-seeks-shore-security-medical-devices-iot-networks\">goal of the Act<\/a> is to \u201chelp ensure that the U.S. healthcare system\u2019s infrastructure remains safe and secure.\u201d Congressional traction appears to be widespread, as bipartisan companion legislation was <a href=\"https:\/\/www.congress.gov\/bill\/117th-congress\/house-bill\/7084\/text?r=1&amp;s=1\">proposed in the House<\/a>, as well.<\/p>\n<p>The Act sets <a href=\"https:\/\/www.congress.gov\/bill\/117th-congress\/senate-bill\/3983\/text?r=1&amp;s=1\">cybersecurity requirements<\/a> that satisfy \u201creasonable assurances\u201d of cybersecurity protections for any \u201ccyber device of information\u201d through the device\u2019s entire lifecycle. Should the Act be enacted, it will require that manufacturers plan for, monitor, identify, and address cybersecurity risks throughout the device\u2019s lifetime, both pre- and post-market. Additionally, manufacturers will be required to disclose vulnerabilities and provide updates and patches to limit cybersecurity risks on a regular cadence. Regarding critical vulnerabilities occurring out of normal update cadence, manufacturers would be required to address and resolve them as soon as possible. This would mean that updates, upgrades, security enhancements and patches on medical devices would no longer make the device non-compliant.<\/p>\n<p><strong>An industry-wide problem<\/strong><\/p>\n<p>It\u2019s no secret that <a href=\"http:\/\/blogs.luc.edu\/compliance\/?p=4138\">health care organizations and systems<\/a> are frequently in the crosshairs of cyber criminals.\u00a0 Cyberattacks on the industry are so prevalent that the Department of Health and Human Services (HHS) established a <a href=\"https:\/\/www.phe.gov\/Preparedness\/planning\/CyberTF\/Pages\/default.aspx\">Healthcare Cybersecurity Task Force<\/a> specifically to address the problem. In 2021, <a href=\"https:\/\/www.healthcareitnews.com\/news\/biggest-healthcare-data-breaches-2021\">more than 40 million patient records<\/a> were compromised due to reported cyber incidents. Just last month, hackers <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/cyber-attack-on-california\/\">gained access to 850,000 records<\/a> containing personally identifiable information (PII) in a single ransomware attack on one health system. Not only is this the biggest attack thus far in 2022, but it is also the eighth largest healthcare cyberattack ever. While risks and vulnerabilities of healthcare information systems and networks have been widely discussed, and are regularly addressed, those specifically pertaining to medical devices are not.<\/p>\n<div class=\"pn-shadow-host js-pn-create-project-modal\"><\/div>\n<div class=\"pn-shadow-host js-pn-feedback-modal\"><\/div>\n<div class=\"pn-shadow-host js-pn-image-modal\"><\/div>\n<div class=\"pn-shadow-host js-pn-create-project-modal\"><\/div>\n<div class=\"pn-shadow-host js-pn-feedback-modal\"><\/div>\n<div class=\"pn-shadow-host js-pn-image-modal\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Conversations about the privacy and security of health information systems and patient data are ongoing, and frequently front-page news. But what about healthcare\u2019s \u201cinternet of things\u201d? More specifically, the web of wearable or implantable medical devices, and the applications that go along with them, which collect and transmit health information? The Food and Drug Administration (FDA) is charged with approving medical devices for patient use in a clinical setting, such as pacemakers. These devices require FDA approval and cannot be altered after receiving that approval. Additionally, an upgrade to an approved device could result in the need for an entirely new FDA approval, making device\u2019s security essentially obsolete soon after its deployment. The inability to upgrade device security poses a unique cybersecurity risk. And this risk is one that Congress seems poised to take on.<\/p>\n","protected":false},"author":90,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[554,571,821,1205,1534,1537,1623],"class_list":["post-4626","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cyber-security","tag-data-privacy","tag-federal-cybersecurity-law","tag-journal-of-regulatory-compliance","tag-patient-data","tag-patient-security","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/4626","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/90"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4626"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/4626\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}