U.S. Senators Bill Cassidy, MD (R-LA) and Tammy Baldwin (D-WI) introduced the Protecting and Transforming Cyber Health Care (PATCH) Act, to ensure the safety of the country’s healthcare cyber infrastructure. 

Over the course of the pandemic, there have been countless ransomware attacks within medical devices and larger networks in healthcare. Attacks which affect patients, hospitals, and the medical device industry.

“New medical technologies have incredible potential to improve health and quality of life,” says Cassidy. “If Americans cannot rely on their personal information being protected, this potential will never be met.”

Baldwin echoed the significance of these cyberattacks, and how the PATCH Act will support healthcare.

“In recent years, we’ve seen a significant increase in cyber-attacks that have exposed vulnerabilities in our health care infrastructure, impacting patients across Wisconsin and the country. We must take these lessons learned to better protect patients,” says Baldwin. “I am excited to introduce the bipartisan PATCH Act to ensure that innovative medical technologies are better protected from cyber threats and keep personal health information safe while also finding new ways to improve care.”

U.S. Representatives Michael C. Burgess, MD (R-TX) and Angie Craig (D-MN) introduced the companion legislation in the House of Representatives.

“The U.S. health care system is and will always remain to be a critical infrastructure,” says Burgess.“We must take action and necessary steps to ensure that it remains cyber secure. Throughout the pandemic, there was spike in ransomware attacks within medical devices and larger networks. These attacks affect hospitals, the medical device industry, and most importantly American patients.”

The PATCH Act would:

  • Implement critical cybersecurity requirements for manufacturers applying for premarket approval through the FDA.
  • Allow for the manufacturer to design, develop, and maintain processes and procedures to update and patch the device and related systems throughout the lifecycle of the device.
  • Establish a Software Bill of Materials for the device that will be provided to users.
  • Require the development of a plan to monitor, identify, and address post market cybersecurity vulnerabilities.
  • Request a Coordinated Vulnerability Disclosure to demonstrate safety and effectiveness of a device.

“Over the past several years, bad actors have increasingly relied on cybersecurity vulnerabilities to take advantage of unsuspecting individuals and undermine our national security. That trend is especially alarming when it comes to personal medical devices, which can be exploited by cybercriminals – threatening the health and wellbeing of countless Americans,” says Craig. “I’m proud to join Representative Burgess and Senators Baldwin and Cassidy in this effort to bolster security in the medical device industry and defend American patients from ransomware and other attacks.”