On March 15th, 2022 the “Protecting and Transforming Cyber Health Care Act of 2022” or the “PATCH Act of 2022” was introduced to the House and the Senate. The Act states its purpose is “to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.”

Basically, the FDA will require manufacturers of medical devices to design, develop, and maintain patches throughout the lifecycle of their devices. The manufacturer must ensure their execution of the outlined cybersecurity requirements when submitting a premarket submission for the cyber device.

The following will be required of manufacturers:

  • There must be a plan to monitor, identify, and address in a reasonable time post market cybersecurity vulnerabilities and exploits
  • There must be a plan and procedures for a Coordinated Vulnerability Disclosure and those disclosures must be submitted to the FDA and documented
  • The manufacturer must design, develop, and maintain process and procedures to make update and patches available