For the last decade, healthcare provider organizations have borne the brunt of securing the expansive, complex medical device ecosystem. And most of even the best-equipped health systems struggle (and don’t) close all medical device security risks.
But all that may soon change, at least for premarket device submissions.
The sweeping $1.7 trillion omnibus package passed in December 2022 included measures that give the FDA new authorities to establish medical device security requirements for manufacturers, which has led to overwhelming praise from the healthcare sector.
The omnibus included “long desired FDA authorities” previously left out of the continuing resolution, said Carter Groome, CEO of First Health Advisory. Some of these requirements for premarket submissions were included in the Protecting and Transforming Cyber Health Care (PATCH) Act, which heralded broad support from industry stakeholders.
The last FDA appropriations bill passed in September without PATCH Act elements, despite overwhelming bipartisan support — much to the chagrin of medical device security leaders. The Consolidated Appropriations Act of 2023 includes some, but not all, of the language of the PATCH Act.
“Although watered down from PATCH Act asks, it’s a big step forward for health sector resilience and ultimately the safety of people reliant on the integrity and availability of medical devices,” said Groome, who’s also a post-market medical device security advisor and member of the Health Sector Coordinating Council (HSCC).
But even the smallest step in healthcare cybersecurity is a huge win for provider organizations.