Next Steps on the PATCH Act Is of Significance for Both Medical Device Manufacturers and Healthcare Providers

By Troy Ament, Fortinet Field CISO for Healthcare

After nearly a decade of advocacy by healthcare special interest groups, industry experts, and other stakeholders, bipartisan legislation was introduced to ensure cybersecurity receives the attention of medical device manufacturers and healthcare providers. 

At the heart of the PATCH Act (“Protecting and Transforming Cyber Healthcare Act”) is the desire to treat medical devices with the same security, care, and diligence that the healthcare industry treats patient safety and data. In short, lawmakers are responding to the obvious need to ensure the cybersecurity of medical devices. 

Concurrently, the federal government is also considering updates to the U.S. Food and Drug Administration’s (FDA) cybersecurity guidance for medical devices, which are connected directly to the internet or healthcare organizations networks, yet typically lack strong authentication and often rely on vulnerable software. 

Impact on the Medical Device Industry and Healthcare Organizations

Although the PATCH Act is focused on medical device security, by providing comprehensive cybersecurity governance to medical device manufacturers (MDMs), we believe healthcare organizations also need to be very aware of the legislation, to understand how manufacturers will fund these proposed requirements.

Over the past three or four years, the FDA has released voluntary guidance on medical devices, but it is not law nor a requirement. Up to now, cybersecurity has not been a part of the FDA’s medical device approval process — but that could change. If passed, the PATCH Act would change the voluntary FDA guidance into a baseline requirement. Therefore, cybersecurity will need to be embedded in medical devices if they are to be approved by the agency.

The Big Question and the Bigger Question

If this legislation is enacted, government authorities might be asking health systems to replace their medical devices sooner rather than later. If the answer is “sooner” then the bigger question becomes: “How are all the replacement devices going to get paid for?”

In the U.S., about half of patient care is paid for via Medicare and Medicaid.  So, if this new requirement is approved without funding  — healthcare providers label these type of rules as “unfunded mandates” — there’s no way they could absorb the cost and burden alone. Of course, medical device manufacturers and healthcare systems are pushing hard to get funding included as part of the PATCH Act, but at this point it is not part of the proposed legislation.

Security Should Never be an Afterthought

Medical device manufacturers should be fortifying new devices following the latest voluntary FDA regulations, as cyber adversaries are getting more and more successful at finding gaps or vulnerabilities in a healthcare provider’s network environment to gain access. 

Note: healthcare isn’t the only industry being transformed by digital acceleration in this way. Critical infrastructure like power grids, pipelines, water and wastewater, and other industrial sectors are feeling similar pressure to protect their IoTs (Internet of Things) end points. 

Advances in cybersecurity infrastructure will continue to benefit patient care if healthcare leaders, manufacturers, and government leaders remember that security should never be an afterthought.

Learn more about the latest healthcare cybersecurity solutions by visiting the Fortinet Healthcare Team at ATA2023, Booth #1304. 

Troy Ament, Fortinet Field CISO for Healthcare, has more than 20 years of experience transforming information technology and security programs, including 14 years in the healthcare sector as an executive overseeing clinical technology implementations. Before joining Fortinet, Troy served as Chief Information Security Officer at Beaumont Health and Director, Chief Information Security Officer at Sanford Health where he had oversight of the Security Technology, Security Operations, Identity and Access Management, and Governance Risk and Compliance (GRC) Teams.