The Insights That Shaped the PATCH Act
For nearly a decade, advocating for the implementation of minimum cyber hygiene for connected medical technologies has been a personal journey. Drawing parallels to the safety features in cars, I have worked tirelessly to build trust with the US Food and Drug Administration and influence their pre and post-market guidance. Finally, the passage of the PATCH Act, backed by law, marks a significant milestone. Amidst the alarming rise of ransomware attacks and disruptions to healthcare technology during the pandemic, it became evident that the lack of cybersecurity measures could jeopardize lives.
Hospitals now share the responsibility of ensuring the defensibility and resilience of the medical devices and technologies they procure and deploy. Regardless of their size or funding, every hospital can benefit from the implementation of minimum cyber hygiene practices. By securing our supply chain and fortifying the devices, we stand a fighting chance against accidents and adversaries. Although the need for this legislation was apparent years ago, it is only recently that the healthcare industry recognized its vulnerability and the consequences it faces.
The relentless surge in ransomware attacks and audacious criminal actors over the past few years has resulted in compromised patient care and even mortality rates. At CISA, my team has extensively documented these prolonged attacks, which have tragically led to loss of life. Fortunately, Congress and the White House have taken notice, and there is now a resolute political will to step up and restore public trust in healthcare technology.