The U.S. Congress and the FDA are maneuvering to address a key weak spot in healthcare cybersecurity: the hacking of medical devices. Congress is moving forward with a proposed bill, the Protecting and Transforming Cyber Health Care (PATCH) Act, which would make device manufacturers show proof of certain cybersecurity considerations in their planning as well as require a Software Bill of Materials (SBOM) for new devices. Passage of the bill would render these factors mandatory; the FDA is only going so far as to strengthen its recommended guidelines.
Internet-connected devices such as imaging machines and infusion pumps have been a hot target for hackers of late. The attacks involve the extraction of sensitive data, and can ultimately put the safety of the patient directly at risk. Experts in the sector consider a large number of devices currently on the market prone to cyberattacks. The FDA has wrangled with the long-gestating issue over the years, and its newest guidance – pieced together based on feedback from manufacturers and taking into consideration the medical device space’s accelerated evolutionary cycles – replaces a draft guideline from 2018.
Though the FDA’s document remains in draft stage for the time being and won’t be put into practice until it’s run through another feedback phase, the major changes therein include extra emphasis on cybersecurity prioritization throughout the entirety of a device’s lifecycle. The agency has also requested that Congress afford it more explicit requirement-making privileges in the interest of bolstering device resilience.
