The PATCH Act: Protecting Medical Devices from Cyber Attacks
INTRODUCTION
In a previous issue of Decoded, we discussed the alarming fact that many medical devices, including those implanted in patients' bodies, are leaving the manufacturers with known cybersecurity flaws. Due to these known flaws, these devices are vulnerable to being hacked, and patients’ personal/protected health information ("PHI") stolen; or worse, the device being held hostage in a ransomware attack. In hopes of preventing a medical disaster associated with unprotected medical devices, this year, the House and the Senate are considering companion bills intended to significantly improve security and safety for medical devices. Senate Bill 3983, the “Protecting and Transforming Cyber Health Care Act” or “PATCH Act,” and the House companion, the PATCH Act of 2022, H.R. 7084, are currently under consideration in their respective Committees. The PATCH Act represents a major step forward in securing networkable medical devices, but there are significant shortcomings in the way it addresses the ever-evolving threat of cybersecurity vulnerabilities in those medical devices.
A PROBLEMATIC DEFINITION OF “CYBER DEVICE”
At the outset, the PATCH Act must define what medical devices it intends to cover. Medical devices come in all shapes and sizes – from implanted devices such as a pacemaker or a child’s RFID tag, to robotic assisted surgical equipment such as the Da Vinci, or even MRI or X-Ray imaging machinery. These devices are known to be vulnerable to cyberattacks, with a wide range of medical impacts and risks to health and safety. With the PATCH Act, Congress is trying to address vulnerabilities of all of these devices under the simple umbrella of “cyber devices.”
The PATCH Act defines a “cyber device” as “a device that (A) includes software; or (B) is intended to connect to the internet.” This definition demonstrates the complexity of the issue, because it includes amorphous terms. What constitutes “software” in this context? Is software specific computer programing, or does it include passive RFID chip technology? Title 21 of the United States does not otherwise define “software” as a standalone term. Likewise, the phrase “intended to connect to the internet” (note the lowercase “i”) is amorphous. Does Congress intend the PATCH Act to only apply to medical devices that can be networked through an Internet connection, or do they intend to include devices that were not originally designed to be networked, but can be by the end user? Other provisions under Title 21 define “Internet” (note the capital “I”) to mean “collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected worldwide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocol to such protocol, to communicate information of all kinds by wire or radio.” The problem is, the definition of a "cyber device" does not capitalize the word "internet," so in terms of statutory construction, this definition of the word "Internet" would not apply to the definition of a "cyber device." This ambiguous language will lead to problems in the future. The cybersecurity risks for medical devices are not limited to TCP/IP vulnerabilities, even though those account for the current majority of exploits. Private and closed networks are still vulnerable to cyberattack, but may not be included in the proposed definition of what constitutes a "cyber device." Instead of defining "cyber devices" as medical devices that connect to the Internet, a better definition may be to define a "cyber device" as any medical device that communicates with another electronic device either actively or passively through a network or wirelessly. For the PATCH Act to include such vague terminology betrays a narrow understanding of how these devices operate, and what risks they present to patient safety and PHI.
PREMARKET AND POSTMARKET REGULATIONS
The core aspects of the PATCH Act are the regulations for ensuring cybersecurity of medical devices throughout their full lifecycle. The PATCH Act requires premarket submissions for device approvals to include “such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate . . . .” This language empowers the Secretary of Health and Human Services with the discretion to set forth regulations and requirements to ensure the cyber security of new medical devices. The PATCH Act protects against cyberattacks by setting forth the minimum standard of “cybersecurity requirements” for the pre-market and post-market phases of a medical device's lifecycle.
During the premarket submission process, a manufacturer must provide certain information to the FDA, both for regulatory review and to be provided to the consumer. For regulators, the manufacturer must have “a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits.” Additional key requirements include a duty to “design, develop, and maintain processes and procedures to make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device” to be addressed on a regular cycle for “known unacceptable vulnerabilities,” or out of cycle in the case of “critical vulnerabilities that could cause uncontrolled risks.” For the consumers, the manufacturer must provide a “software bill of materials, including commercial, open-sourced, and off-the-shelf software components” which will be provided to users of the device. This is important information about the device that enables it to function across its intended lifecycle, from production to proper decommissioning.
Again, the definitions here are somewhat vague and amorphous. At what stage does a vulnerability cross the line from “unacceptable” to “critical” and trigger the update protocol? Would a patient or provider be able to adequately understand an “uncontrolled risk” for the purposes of informed consent? Presumably, these details would be addressed in regulation promulgated by the Secretary, and then outlined by the manufacturer in the Coordinated Vulnerability Disclosure to be included in premarket submissions to the FDA under the PATCH Act. Perhaps it would be better to more clearly define these terms within the PATCH Act itself, rather than leaving it to the discretion of the Secretary. Finally, because the PATCH Act applies to “any person who submits a premarket submission for the cyber device,” it is unclear the extent to which the PATCH Act adequately addresses existing vulnerabilities in legacy medical devices already in the postmarket phase of their lifecycles.
WHY DOES THIS MATTER?
Cybersecurity vulnerabilities exist in all interconnected devices. Manufacturers across various industries have been working for years to stay on top of risks and new attacks. Consumers are aware of the risks associated with the automotive industry, as cars can be hacked or stolen in a variety of ways. The technology and equipment necessary to perform a relay attack on a vehicle, for example, is readily accessible in the open market, at a very low entry price. The same equipment that would have cost a bad actor more than $5,000 a few years ago (creating a barrier to entry) is now readily available for around $20. The evaporation of financial barriers to entry for bad actors exacerbates the risk for exploitation.
In the automotive industry, for example, proof of concept exploits have demonstrated ways that a bad actor could walk into a dealership with a small bag holding this relay equipment. In a short time, the equipment scans and collects the data emitted from the smart keys behind the counter. The data can then be used to imitate the key and take control of the vehicles on the lot. Imagine a similar vulnerability in a medical device. Could a bad actor using a similar relay attack remotely interfere with a pacemaker to threaten triggering a heart attack in a patient? What if they were to bring down the patient monitoring systems of a full medical unit? Similar to pharmaceuticals that are contraindicated and should not be prescribed the same patient, the same is true for medical devices. When purchasing medical devices, purchasers and/or patients need to be aware of the cybersecurity risks that are associated with interference from other medical devices. Without reasonable assurances that medical devices are secure, or knowing what hardware and software are included in a device, medical providers and patients are at a significant disadvantage under the current laws and regulations.
When a consumer’s car is stolen, or their computer is infected with malware, there is an inconvenience and loss of time, money, or data. When a medical device is subject to an attack, lives are quite literally at stake. Regulations aimed at cybersecurity, such as what the PATCH Act is trying to accomplish, serve to incentivize manufacturers to proactively secure their products and ensure consumer safety. With those incentives, newer technologies are developed and products become more secure and safer.
While the implanted medical device scenarios are the most frightening examples of medical device cyber vulnerabilities, medical devices also are located in medical facilities. These devices often transmit patient PHI over a network for review by clinicians. This transmission of PHI also is vulnerable to interception or ransom. The PATCH Act would address these vulnerabilities as well by requiring medical devices to be able to receive software patches to fix newly discovered vulnerabilities throughout the medical device's lifecycle.
INDUSTRY RESPONSE AND CONCLUSION
The industry response to the current draft of the PATCH Act is mixed. Cybersecurity experts agree that the definitions of key terms in the Act are problematic. Some, such as Richard Staynings of the University of Denver, have suggested that additional regulation is needed as a means to incentivize manufacturers to “design-in” the critical cybersecurity components premarket. He further suggests that market standard timeframes could be included for the implementation of patches, such as the six-month cycle for regular or “in-band” patches, and the 30-day window for more critical patches to address new vulnerabilities.
The FDA has also weighed in on the PATCH Act. The FDA currently provides guidance to medical device manufacturers regarding protecting their devices against cyberattacks. While the FDA celebrates that the Act and the related regulations stemming from it have "teeth," critics such as Chris Gates from Velentium, caution that the regulations tend to brush past existing workable guidance and thought leadership from entities such as the National Telecommunications and Information Administration (the "NTIA"). This is particularly the case with the proposed structure of the software bill of materials, where the NTIA has already laid significant groundwork. In addition, Gates points out that in the history of all device manufacturers, only one has been able to successfully fix and patch a vulnerability within the 60-day window the FDA is proposing in the updated draft regulation.
In commentary on these and other related bills, legal and healthcare experts acknowledge that cybersecurity vulnerabilities for medical devices have been a known issue for a number of years. The risks for increased targeting of the healthcare sector is expected to increase with the rise of consumer utilization of technology coupled with increased cyberattacks arising from international conflict zones. In general, the healthcare industry appears poised to welcome this legislation, but is cautious to ensure that the final implementation of any regulation or statutory oversight is artfully drafted to provide security protections not limited to current technologies, but to allow for further development and design appropriate to the wide array of medical devices, uses and risks.
In short, the PATCH Act is a critical piece of legislation that is long overdue. The medical industry and medical device manufacturers should all welcome this step in developing laws and regulations aimed at providing assurances that cybersecurity is being appropriately addressed in the manufacture of medical devices. However, the current draft of the Act is not without its problems. The definitions used in its current form remain problematic and vague, and hopefully will be revised and clarified in Committee. Interested parties should pay attention to any additional revisions and consider the impact of this legislation on their industries and products – particularly in the premarket development space. Additional clarification on the PATCH Act’s applicability to legacy medical devices already in the postmarket phase should also be revised. As the Internet of Things continues to expand to include medical devices, it is critical to set the right baseline for manufacturer regulation and patient safety.
Link to article
In a previous issue of Decoded, we discussed the alarming fact that many medical devices, including those implanted in patients' bodies, are leaving the manufacturers with known cybersecurity flaws. Due to these known flaws, these devices are vulnerable to being hacked, and patients’ personal/protected health information ("PHI") stolen; or worse, the device being held hostage in a ransomware attack. In hopes of preventing a medical disaster associated with unprotected medical devices, this year, the House and the Senate are considering companion bills intended to significantly improve security and safety for medical devices. Senate Bill 3983, the “Protecting and Transforming Cyber Health Care Act” or “PATCH Act,” and the House companion, the PATCH Act of 2022, H.R. 7084, are currently under consideration in their respective Committees. The PATCH Act represents a major step forward in securing networkable medical devices, but there are significant shortcomings in the way it addresses the ever-evolving threat of cybersecurity vulnerabilities in those medical devices.
A PROBLEMATIC DEFINITION OF “CYBER DEVICE”
At the outset, the PATCH Act must define what medical devices it intends to cover. Medical devices come in all shapes and sizes – from implanted devices such as a pacemaker or a child’s RFID tag, to robotic assisted surgical equipment such as the Da Vinci, or even MRI or X-Ray imaging machinery. These devices are known to be vulnerable to cyberattacks, with a wide range of medical impacts and risks to health and safety. With the PATCH Act, Congress is trying to address vulnerabilities of all of these devices under the simple umbrella of “cyber devices.”
The PATCH Act defines a “cyber device” as “a device that (A) includes software; or (B) is intended to connect to the internet.” This definition demonstrates the complexity of the issue, because it includes amorphous terms. What constitutes “software” in this context? Is software specific computer programing, or does it include passive RFID chip technology? Title 21 of the United States does not otherwise define “software” as a standalone term. Likewise, the phrase “intended to connect to the internet” (note the lowercase “i”) is amorphous. Does Congress intend the PATCH Act to only apply to medical devices that can be networked through an Internet connection, or do they intend to include devices that were not originally designed to be networked, but can be by the end user? Other provisions under Title 21 define “Internet” (note the capital “I”) to mean “collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected worldwide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocol to such protocol, to communicate information of all kinds by wire or radio.” The problem is, the definition of a "cyber device" does not capitalize the word "internet," so in terms of statutory construction, this definition of the word "Internet" would not apply to the definition of a "cyber device." This ambiguous language will lead to problems in the future. The cybersecurity risks for medical devices are not limited to TCP/IP vulnerabilities, even though those account for the current majority of exploits. Private and closed networks are still vulnerable to cyberattack, but may not be included in the proposed definition of what constitutes a "cyber device." Instead of defining "cyber devices" as medical devices that connect to the Internet, a better definition may be to define a "cyber device" as any medical device that communicates with another electronic device either actively or passively through a network or wirelessly. For the PATCH Act to include such vague terminology betrays a narrow understanding of how these devices operate, and what risks they present to patient safety and PHI.
PREMARKET AND POSTMARKET REGULATIONS
The core aspects of the PATCH Act are the regulations for ensuring cybersecurity of medical devices throughout their full lifecycle. The PATCH Act requires premarket submissions for device approvals to include “such information as the Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate . . . .” This language empowers the Secretary of Health and Human Services with the discretion to set forth regulations and requirements to ensure the cyber security of new medical devices. The PATCH Act protects against cyberattacks by setting forth the minimum standard of “cybersecurity requirements” for the pre-market and post-market phases of a medical device's lifecycle.
During the premarket submission process, a manufacturer must provide certain information to the FDA, both for regulatory review and to be provided to the consumer. For regulators, the manufacturer must have “a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits.” Additional key requirements include a duty to “design, develop, and maintain processes and procedures to make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device” to be addressed on a regular cycle for “known unacceptable vulnerabilities,” or out of cycle in the case of “critical vulnerabilities that could cause uncontrolled risks.” For the consumers, the manufacturer must provide a “software bill of materials, including commercial, open-sourced, and off-the-shelf software components” which will be provided to users of the device. This is important information about the device that enables it to function across its intended lifecycle, from production to proper decommissioning.
Again, the definitions here are somewhat vague and amorphous. At what stage does a vulnerability cross the line from “unacceptable” to “critical” and trigger the update protocol? Would a patient or provider be able to adequately understand an “uncontrolled risk” for the purposes of informed consent? Presumably, these details would be addressed in regulation promulgated by the Secretary, and then outlined by the manufacturer in the Coordinated Vulnerability Disclosure to be included in premarket submissions to the FDA under the PATCH Act. Perhaps it would be better to more clearly define these terms within the PATCH Act itself, rather than leaving it to the discretion of the Secretary. Finally, because the PATCH Act applies to “any person who submits a premarket submission for the cyber device,” it is unclear the extent to which the PATCH Act adequately addresses existing vulnerabilities in legacy medical devices already in the postmarket phase of their lifecycles.
WHY DOES THIS MATTER?
Cybersecurity vulnerabilities exist in all interconnected devices. Manufacturers across various industries have been working for years to stay on top of risks and new attacks. Consumers are aware of the risks associated with the automotive industry, as cars can be hacked or stolen in a variety of ways. The technology and equipment necessary to perform a relay attack on a vehicle, for example, is readily accessible in the open market, at a very low entry price. The same equipment that would have cost a bad actor more than $5,000 a few years ago (creating a barrier to entry) is now readily available for around $20. The evaporation of financial barriers to entry for bad actors exacerbates the risk for exploitation.
In the automotive industry, for example, proof of concept exploits have demonstrated ways that a bad actor could walk into a dealership with a small bag holding this relay equipment. In a short time, the equipment scans and collects the data emitted from the smart keys behind the counter. The data can then be used to imitate the key and take control of the vehicles on the lot. Imagine a similar vulnerability in a medical device. Could a bad actor using a similar relay attack remotely interfere with a pacemaker to threaten triggering a heart attack in a patient? What if they were to bring down the patient monitoring systems of a full medical unit? Similar to pharmaceuticals that are contraindicated and should not be prescribed the same patient, the same is true for medical devices. When purchasing medical devices, purchasers and/or patients need to be aware of the cybersecurity risks that are associated with interference from other medical devices. Without reasonable assurances that medical devices are secure, or knowing what hardware and software are included in a device, medical providers and patients are at a significant disadvantage under the current laws and regulations.
When a consumer’s car is stolen, or their computer is infected with malware, there is an inconvenience and loss of time, money, or data. When a medical device is subject to an attack, lives are quite literally at stake. Regulations aimed at cybersecurity, such as what the PATCH Act is trying to accomplish, serve to incentivize manufacturers to proactively secure their products and ensure consumer safety. With those incentives, newer technologies are developed and products become more secure and safer.
While the implanted medical device scenarios are the most frightening examples of medical device cyber vulnerabilities, medical devices also are located in medical facilities. These devices often transmit patient PHI over a network for review by clinicians. This transmission of PHI also is vulnerable to interception or ransom. The PATCH Act would address these vulnerabilities as well by requiring medical devices to be able to receive software patches to fix newly discovered vulnerabilities throughout the medical device's lifecycle.
INDUSTRY RESPONSE AND CONCLUSION
The industry response to the current draft of the PATCH Act is mixed. Cybersecurity experts agree that the definitions of key terms in the Act are problematic. Some, such as Richard Staynings of the University of Denver, have suggested that additional regulation is needed as a means to incentivize manufacturers to “design-in” the critical cybersecurity components premarket. He further suggests that market standard timeframes could be included for the implementation of patches, such as the six-month cycle for regular or “in-band” patches, and the 30-day window for more critical patches to address new vulnerabilities.
The FDA has also weighed in on the PATCH Act. The FDA currently provides guidance to medical device manufacturers regarding protecting their devices against cyberattacks. While the FDA celebrates that the Act and the related regulations stemming from it have "teeth," critics such as Chris Gates from Velentium, caution that the regulations tend to brush past existing workable guidance and thought leadership from entities such as the National Telecommunications and Information Administration (the "NTIA"). This is particularly the case with the proposed structure of the software bill of materials, where the NTIA has already laid significant groundwork. In addition, Gates points out that in the history of all device manufacturers, only one has been able to successfully fix and patch a vulnerability within the 60-day window the FDA is proposing in the updated draft regulation.
In commentary on these and other related bills, legal and healthcare experts acknowledge that cybersecurity vulnerabilities for medical devices have been a known issue for a number of years. The risks for increased targeting of the healthcare sector is expected to increase with the rise of consumer utilization of technology coupled with increased cyberattacks arising from international conflict zones. In general, the healthcare industry appears poised to welcome this legislation, but is cautious to ensure that the final implementation of any regulation or statutory oversight is artfully drafted to provide security protections not limited to current technologies, but to allow for further development and design appropriate to the wide array of medical devices, uses and risks.
In short, the PATCH Act is a critical piece of legislation that is long overdue. The medical industry and medical device manufacturers should all welcome this step in developing laws and regulations aimed at providing assurances that cybersecurity is being appropriately addressed in the manufacture of medical devices. However, the current draft of the Act is not without its problems. The definitions used in its current form remain problematic and vague, and hopefully will be revised and clarified in Committee. Interested parties should pay attention to any additional revisions and consider the impact of this legislation on their industries and products – particularly in the premarket development space. Additional clarification on the PATCH Act’s applicability to legacy medical devices already in the postmarket phase should also be revised. As the Internet of Things continues to expand to include medical devices, it is critical to set the right baseline for manufacturer regulation and patient safety.
Link to article