The PATCH Act: Protecting Medical Devices from Cyber Attacks | Spilman Thomas & Battle, PLLC

In a previous issue of Decoded, we discussed the alarming fact that many medical devices, including those implanted in patients’ bodies, are leaving the manufacturers with known cybersecurity flaws. Due to these known flaws, these devices are vulnerable to being hacked, and patients’ personal/protected health information (“PHI”) stolen; or worse, the device being held hostage in a ransomware attack. In hopes of preventing a medical disaster associated with unprotected medical devices, this year, the House and the Senate are considering companion bills intended to significantly improve security and safety for medical devices. Senate Bill 3983, the “Protecting and Transforming Cyber Health Care Act” or “PATCH Act,” and the House companion, the PATCH Act of 2022, H.R. 7084, are currently under consideration in their respective Committees. The PATCH Act represents a major step forward in securing networkable medical devices, but there are significant shortcomings in the way it addresses the ever-evolving threat of cybersecurity vulnerabilities in those medical devices.

At the outset, the PATCH Act must define what medical devices it intends to cover. Medical devices come in all shapes and sizes – from implanted devices such as a pacemaker or a child’s RFID tag, to robotic assisted surgical equipment such as the Da Vinci, or even MRI or X-Ray imaging machinery. These devices are known to be vulnerable to cyberattacks, with a wide range of medical impacts and risks to health and safety. With the PATCH Act, Congress is trying to address vulnerabilities of all of these devices under the simple umbrella of “cyber devices.”

The PATCH Act defines a “cyber device” as “a device that (A) includes software; or (B) is intended to connect to the internet.” This definition demonstrates the complexity of the issue, because it includes amorphous terms. What constitutes “software” in this context? Is software specific computer programing, or does it include passive RFID chip technology? Title 21 of the United States does not otherwise define “software” as a standalone term. Likewise, the phrase “intended…