On March 31, U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced the Protecting and Transforming Cyber Health Care (PATCH) Act. U.S. Representatives Michael C. Burgess, M.D. (R-TX) and Angie Craig (D-MN) introduced the companion legislation in the House of Representatives. According to a press release, the act aims to ensure that cyber infrastructure in the U.S. healthcare system remains “safe and secure” for patients.
The release states that “Over the course of the pandemic, there have been a number of ransomware attacks within medical devices and larger networks. These attacks affect patients, hospitals, and the medical device industry.”
That said, “The PATCH Act would:
- Implement critical cybersecurity requirements for manufacturers applying for premarket approval through the FDA.
- Allow for the manufacturer to design, develop, and maintain processes and procedures to update and patch the device and related systems throughout the lifecycle of the device.
- Establish a Software Bill of Materials for the device that will be provided to users.
- Require the development of a plan to monitor, identify, and address post market cybersecurity vulnerabilities.
- Request a Coordinated Vulnerability Disclosure to demonstrate safety and effectiveness of a device.”
Cassidy was quoted in the release saying that "New medical technologies have incredible potential to improve health and quality of life. If Americans cannot rely on their personal information being protected, this potential will never be met."
Burgess was also quoted saying that “The U.S. healthcare system is and will always remain to be a critical infrastructure. We must take action and necessary steps to ensure that it remains cyber secure. Throughout the pandemic, there was spike in ransomware attacks within medical devices and larger networks. These attacks affect hospitals, the medical device industry, and most importantly American patients. This legislation will implement cybersecurity protocols and procedures for manufacturers applying for premarket approval through the Food and Drug Administration to ensure that users are properly equipped to deal with foreign or domestic ransomware attacks. It is time to examine how to modernize and protect our healthcare infrastructure.”
Healthcare Innovation’s Managing Editor Janette Wider had the opportunity to connect with Richard Staynings, adjunct professor of cybersecurity and health informatics at the University of Denver and who also serves as chief security strategist for Cylera about this new bill. On April 4, Staynings was featured in a guest blog on the potential surrounding Russian cybercriminality impacting U.S. healthcare.
Staynings explains that the bill sets out to address the fundamental problems of medical device security and these problems have been a known concern for many years, as most medical devices in circulation today were never designed with cybersecurity in mind and are, therefore, highly vulnerable.
“These [what the PATCH Act aims to do] are things that healthcare and medical device security experts have been demanding for years,” says Staynings.
“We need manufacturers to ‘design-in’ security to their products rather than expect providers to ‘graft-on’ security when devices are connected to hospital networks, via a process of expensive and often difficult to manage compensating security controls,” he adds. “We need manufacturers to have a stake in the ongoing cybersecurity resiliency of their devices, and to do so throughout their expected lifecycle. This includes the creation, testing, and timely release of patches for security vulnerabilities before patient safety risks escalate. Finally, hospital CISOs need to understand what makes up each medical device attached to their network so that when a CVE is published by Microsoft or other vendors, they know which devices may be at risk of compromise or exploitation and can therefore take immediate additional measures to secure them, while waiting on manufacturers for security patches.”
Staynings adds that the bill in its current state is quite ambiguous and, in his opinion, fails to adequately define what is meant by “unacceptable vulnerabilities” or “reasonable” or “timely.”
He goes on to explain that what may be considered reasonable or timely to a manufacturer may not align with what the chief information security officer (CISO) of a large hospital considers to be the case. Staynings adds that the ambiguous non-specific language has been used as an excuse by manufacturers in previous changes to pre- and post-market guidance to do and has done very little about improving security.
“What the industry needs is uniform definitions of these terms,” Staynings asserts. “For example, an in-band patch should reasonably be made available within six months, while a critical out-of-band patch needs to be made available within 30 days of a vulnerability being discovered. This is what we expect from Microsoft and other software vendors so why should manufacturers of medical devices be held to lower standards? If your home Windows PC gets hit with malware, that can be annoying or even mildly disastrous but it’s not going to kill you, the compromise of a medical device keeping you alive on the other hand could be life-threatening.”
And as to what happens if the bill makes it into law, Staynings says that “If it makes it into law and the final bill contains specifics—including prescriptive security requirements—then it should start to change the healthcare internet of things (IoT) security space, but it doesn’t address the legacy problem. We have a stock of millions of medical and other healthcare related IoT systems that we are reliant upon for all aspects of patient and clinical workflows, and many of these will be in use well into the mid-to-late 2030s. What we need is manufacturers to step up and take a more active role in defense of their existing devices from cyberattacks. Right now, they are not motivated to do so.”
Introducing new cybersecurity bills has been a recent trend, we reported earlier this week that on March 23, U.S. Senators Bill Cassidy, M.D. (R-LA) and Jacky Rosen (D-NV) introduced the Healthcare Cybersecurity Act. The act aims to direct the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to work together on how to improve cybersecurity processes in hospitals and health systems.