Q&A: The facts about the PATCH Act - Medical Device Network

last highlighted date: 2024-01-10

Highlights

• The complexities in the abstract are added rigour in the pre-market design control process. Significantly more rigour in the post market surveillance and monitoring process, and change control and corrective action, preventive action processes, and the magnitude of monitoring all these off the shelf, third party software products that would be enumerated in what they call the SBOM (software bill of materials).
• The PATCH Act, which has been in development for several years, defines a framework for minimal cybersecurity focus within medical devices. On December 29th, 2022, the Act was signed into US law and from March 29, 2023, a premarket application or submission of cyber devices had to contain all information required by the FDA. In this period, the FDA holds back from issuing refuse to accept (RTA) for premarket submissions of cyber devices submitted before October 1st, 2023.
• They want manufacturers to be able to produce a patch, which means they have the ability to fix your software based on an unintended consequence, in an off-cycle release. If you can release your software, let’s say every month or every three months, although many manufacturers in this industry release in a much broader timeline. The government is saying you still need to have the ability to release software in a reasonable amount of time to remove any possible harm for the public in an off-cycle release.
  • Note: need frequent release cycle for software
• There’s no software that’s deployed today that would not need a patch, within the next five to 10 years, at most, if not in the next week. Codifying that, and making sure that happens, would benefit the people who rely on it the most.
• Tomorrow, someone can find a zero-day vulnerability, and suddenly every device connected to that library is vulnerable to hacking. A lot of great manufacturers put risk controls in place to prevent hacking. I think fundamentally, if you’re using software, you must be able to change from a security standpoint, because you don’t control what’s going on, and if someone finds an issue, it’s important to be able to provide changes rapidly.

• Will we see more specialised software built for medical devices which will address these concerns?

  EK: I think it’s absolutely an area of growth. Because there’s a difference in what I expect from an app I use to play a game on my phone and between an app I use to monitor my child’s health. My expectation of those two things is so vast that we really need to reconsider what we allow into the latter.
• The more data the FDA has, the better the picture they get of the state of the healthcare industry. They’re trying to monitor the ecosystems of the healthcare industry.
• EK: Post market vulnerabilities are software vulnerabilities that are discovered in your software after it’s been launched into the market. I use a library developed by a team of people in Germany. If someone discovers an exploit and publishes it online, look at how you can use this library to control the device or control the application that is using it. That can happen at any point in the future, we can never know if a library has a potential exploit, you can only know once it’s discovered. I can release the device today, scan it for vulnerabilities, but tomorrow or in a week, a year, someone can take full control of it. There’ll be another vulnerability in a major library that’s commonly used and this time, it’ll be commonly used for some action on a medical device or huge amounts of medical devices. It’s not like this might happen, it’ll eventually happen many times over in the rest of this decade and century.