U.S. Sen. Bill Cassidy (R-LA) and U.S. Rep. Michael Burgess (R-TX) recently offered bipartisan, bicameral legislation that would bolster the cybersecurity infrastructure of the United States’ healthcare system.
“New medical technologies have incredible potential to improve health and quality of life,” Sen. Cassidy said. “If Americans cannot rely on their personal information being protected, this potential will never be met.”
Sen. Cassidy on March 31 sponsored the Protecting and Transforming Cyber Health Care (PATCH) Act of 2022, S. 3983, with original cosponsor U.S. Sen. Tammy Baldwin (D-WI) in the U.S. Senate. Rep Burgess joined U.S. Rep. Angie Craig (D-MN) on March 15 to introduce the same-named companion bill, H.R. 7084, in the U.S. House.
If enacted, the measure would ensure the healthcare system’s cybersecurity by amending current law to require “the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device,” according to the congressional record bill summary.
“The U.S. healthcare system is and will always remain to be a critical infrastructure,” said Rep. Burgess. “We must take action and necessary steps to ensure that it remains cyber secure.”
Throughout the ongoing COVID-19 pandemic, there has been a spike in ransomware attacks within medical devices and larger networks, said Rep. Burgess.
“This legislation will implement cybersecurity protocols and procedures for manufacturers applying for premarket approval through the Food and Drug Administration to ensure that users are properly equipped to deal with foreign or domestic ransomware attacks,” he said.
Additionally, the PATCH Act would allow manufacturers to design, develop and maintain processes and procedures to update and patch devices and related systems throughout their lifecycle; and to establish a Software Bill of Materials for the device that will be provided to users, according to a bill summary provided by the lawmakers.
The bill also would require a plan be developed to monitor, identify and address post-market cybersecurity vulnerabilities, and request a Coordinated Vulnerability Disclosure that would demonstrate safety and effectiveness of a device, the summary says.