Regulatory Reflections: The PATCH Act

Date Published: June, 26, 2024

Healthcare institutions have remained a key target for hackers in recent years. 2023 saw two unfortunate records set when it comes to cybersecurity, with the most data breaches and the most breached records. With 725 reported data breaches and over 133 million exposed records reported to OCR alone, its clear more needs to be done to better protect sensitive patient information.

There are a number of reasons why data breaches continue to rise in the healthcare sector. The ongoing transition to digital records, the growing number of connected devices used in hospitals and related environments, and intensive hacking efforts are leading to more and more vulnerabilities being exploited. In 2023, 79.7% of data breaches within the sector resulted from hacking incidents.

A new law for medical devices

Thankfully, legislative action has been taken by the US Congress to mitigate these significant cybersecurity concerns. Following approximately 10 years of deliberation, the Protecting and Transforming Cyber Healthcare (PATCH) Act was signed and actioned within US Law in March 2023. The Act provides a framework for greater cybersecurity measures and gives the US Food and Drug Administration (FDA) greater authority to take action against manufacturers who do not treat security as a priority.

As a result, manufacturers developing new healthcare technologies must now provide details of their processes pre-market in order to better monitor, identify, and mitigate potential vulnerabilities in their devices. This includes the development of a Voluntary Disclosure Program (VDP) for greater transparency. Often consisting of a few statements, a VDP will demonstrate a manufacturer’s commitment to the Act and greater cybersecurity in the wake of growing attacks. They must also devise and implement new processes that ensure new security patches are released and communicated regularly, and immediately address issues that arise.

Ensuring greater device security

One key requirement is the creation and provision of a Software Bill of Materials (SBOM), which must include details of all commercial, off-the-shelf, and open-source components used by manufacturers during the development of devices. In basic terms, SBOMs are an inventory: users can compare their list of components to see whether any of them have been exploited. Sites like CISA’s ‘Known Exploited Vulnerabilities Catalogue’ can help in these instances.

SBOMs are key to reducing risk, yet in 2022, less than 20% of organizations building or procuring critical infrastructure were mandating them in their engineering practices. Gartner predicts this number to rise to around 60% by 2025, and the PATCH Act will play an important role in getting businesses familiar with – and comfortable generating – SBOMs.

It is also understood that any further regulations or requirements introduced by the government relating to device security will be universally adopted by those looking for FDA approval. Should their devices not adhere to the FDA guidance, manufacturers risk a ‘refuse to accept’ decision, effectively blacklisting the product from the market.

Warning signs from the healthcare sector

You only need to look at the news to see why the PATCH Act is needed. In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) warned of a severe vulnerability in a cardiac device from Medtronic. Known as CVE-2023-31222, and discovered just through routine monitoring, the vulnerability would enable hackers to delete, steal, or change data from the device if exploited, while using it as a gateway to a healthcare organization’s wider network.

The year prior, the FDA also identified potential vulnerabilities within a number of Medtronic’s insulin pump systems. The Administration found that it was possible for an unauthorized user to gain access to the pump while pairing with other system components. If the hackers achieved this, they would be able to potentially control the delivery of insulin, putting patients’ lives at risk.

A trusted approach

53% of connected medical and Internet of Things (IoT) devices found in hospitals have known critical vulnerabilities. The PATCH Act aims to reduce this number, only allowing equipment that aligns with the FDA’s regulations. However, manufacturers can take action long before they submit their products to the agency by implementing a ‘trusted computing’ approach to device security.

Trusted computing enables better protection of devices from cyberthreats like viruses and malware, securing sensitive data that can then be shielded from unauthorized users. It gives manufacturers the tools to determine exactly what software is currently running on a device and, through attestation principles, avoid any transmission of data to or from a compromized system.

In our previous blog in the series, we outlined some of the Roots of Trust (RoT), including the TPM and DICE, that can help ensure trusted computing is applied to medical devices and equipment. If manufacturers can implement one or both of these solutions, then they are playing their part in a more secure future for the healthcare industry.

Join

Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more

Specifications

Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read More