Justin Reilly, CEO at Impero Software08.02.22
As the Internet of Medical Things (IoMT) continues to become more prominent in the healthcare sector, there is a growing need for both process and policy to speed up to match its pace, lest the widening security gap be exploited by opportunistic hackers.
The PATCH Act, a new piece of legislation currently being reviewed in both the U.S. House of Representatives and the Senate, is a current example of the legislative steps being taken at the highest levels of government to even the cybersecurity playing field.
As currently written, the PATCH Act will both establish a baseline of cybersecurity for medical device manufacturers seeking FDA approval and add additional requirements and support for these devices post-market. As the IoMT is fully embraced by more facilities, steps such as those presented by the PATCH Act will be increasingly essential in providing a baseline of protection against malicious elements seeking to breach healthcare facility networks.
This legislation comes at a critical time, as the adoption of technology in hospitals and other healthcare facilities has continued to accelerate – particularly in the wake of the COVID-19 pandemic. Now, these facilities are not only more digitized, but are less centralized than ever before. IoMT devices are by far the clearest example of this trend, having propagated through medical facilities, doctors’ offices, in home care settings and elsewhere.
Most of the industry today agrees that IoMT is the future of healthcare, with a Gartner survey in 2019 showing that 86 percent of healthcare providers had already embraced these connective devices. It’s true that IoMT devices have unlocked significant avenues for optimization in both process and patient care, but they also pose a serious threat vector for hackers seeking to use them as back doors to networks containing patient information. Cybersecurity needs to be top of mind at every step of setting up new infrastructure – this is where the PATCH Act can be valuable.
The PATCH Act, if passed, would serve as a direct response to the rapid propagation of cyberattacks. As written, the legislation would:
These measures are specially tailored to address the security risks that medical devices can present if not thoughtfully implemented in a secure way. In 2017 – well before the rapid digitalization we’ve seen in the last few years – the FDA found 164 cyber threats per every 1,000 medical devices – more than one in every 10 posing a threat vector.
Hackers are determined to break into healthcare systems to lay claim to the treasure trove of personally identifiable information contained within. In the wrong hands, this information allows criminals to steal a patient’s identity or commit other forms of fraud with relative ease, aided by inside knowledge.
Despite the importance of the information they guard, many medical devices today aren’t implemented into facilities as securely as they ought to be. The sheer variety of remote access devices integrated into the network – from x-ray machines to MRI machines – presents myriad variables due to often being serviced by many different security vendors. This approach weakens both communication and oversight, potentially leaving unnoticed gaps in security that can readily be accessed by outsiders.
The PATCH Act is essentially a means of “patching” these gaps that are woefully prominent in today’s IoMT. With medical devices secured, healthcare facilities will be free to reap the major benefits of remote access and centralized information without fear of the risks that have typically come with the rewards.
Furthermore, the bipartisan bill sends a message that in addition to all the relevant agencies, the government has also begun to turn its attention to this issue. For any healthcare facilities that haven’t been proactive about cybersecurity, any digital shortcomings are sure to only become more problematic – be it from malicious actors or government enforcement.
The PATCH Act, a new piece of legislation currently being reviewed in both the U.S. House of Representatives and the Senate, is a current example of the legislative steps being taken at the highest levels of government to even the cybersecurity playing field.
As currently written, the PATCH Act will both establish a baseline of cybersecurity for medical device manufacturers seeking FDA approval and add additional requirements and support for these devices post-market. As the IoMT is fully embraced by more facilities, steps such as those presented by the PATCH Act will be increasingly essential in providing a baseline of protection against malicious elements seeking to breach healthcare facility networks.
This legislation comes at a critical time, as the adoption of technology in hospitals and other healthcare facilities has continued to accelerate – particularly in the wake of the COVID-19 pandemic. Now, these facilities are not only more digitized, but are less centralized than ever before. IoMT devices are by far the clearest example of this trend, having propagated through medical facilities, doctors’ offices, in home care settings and elsewhere.
Most of the industry today agrees that IoMT is the future of healthcare, with a Gartner survey in 2019 showing that 86 percent of healthcare providers had already embraced these connective devices. It’s true that IoMT devices have unlocked significant avenues for optimization in both process and patient care, but they also pose a serious threat vector for hackers seeking to use them as back doors to networks containing patient information. Cybersecurity needs to be top of mind at every step of setting up new infrastructure – this is where the PATCH Act can be valuable.
The PATCH Act, if passed, would serve as a direct response to the rapid propagation of cyberattacks. As written, the legislation would:
- Raise the bar that device manufacturers must meet on cybersecurity before being approved by the U.S. Food and Drug Administration (FDA).
- Require manufacturers to vigilantly monitor for exploits and demonstrate the ability and intent to do so before receiving approval.
- Require manufacturers to provide more updates and patches to devices, both on a regular cycle and in emergency response to critical vulnerabilities discovered post-market.
These measures are specially tailored to address the security risks that medical devices can present if not thoughtfully implemented in a secure way. In 2017 – well before the rapid digitalization we’ve seen in the last few years – the FDA found 164 cyber threats per every 1,000 medical devices – more than one in every 10 posing a threat vector.
Hackers are determined to break into healthcare systems to lay claim to the treasure trove of personally identifiable information contained within. In the wrong hands, this information allows criminals to steal a patient’s identity or commit other forms of fraud with relative ease, aided by inside knowledge.
Despite the importance of the information they guard, many medical devices today aren’t implemented into facilities as securely as they ought to be. The sheer variety of remote access devices integrated into the network – from x-ray machines to MRI machines – presents myriad variables due to often being serviced by many different security vendors. This approach weakens both communication and oversight, potentially leaving unnoticed gaps in security that can readily be accessed by outsiders.
The PATCH Act is essentially a means of “patching” these gaps that are woefully prominent in today’s IoMT. With medical devices secured, healthcare facilities will be free to reap the major benefits of remote access and centralized information without fear of the risks that have typically come with the rewards.
Furthermore, the bipartisan bill sends a message that in addition to all the relevant agencies, the government has also begun to turn its attention to this issue. For any healthcare facilities that haven’t been proactive about cybersecurity, any digital shortcomings are sure to only become more problematic – be it from malicious actors or government enforcement.
