Thursday, April 7, 2022

Review - HR 7084 Introduced – PATCH Act

Last month, Rep Burgess (R,TX) introduced HR 7084, the Protecting and Transforming Cyber Health Care (PATCH) Act of 2022. The bill would amend the Federal Food, Drug, and Cosmetic Act by adding a new section dealing with the cybersecurity requirements (including software bill of material requirements) for medical devices. No new funding is authorized by this bill.

Moving Forward

Burgess, and his sole cosponsor {Rep Craig (D,MN)}, are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition beyond some pro forma objections from the medical device manufacturing sector. I suspect that this bill would receive substantial bipartisan support.

Commentary

I have two main concerns about this bill. First deals with definitions. There are two terms used in the provisions dealing with updates and patches that are not defined in the bill or current statute:

• Unacceptable vulnerabilities, and

• Critical vulnerabilities.

I would like to think that the first term would be dealing with vulnerabilities related to patient information disclosures and the second would be dealing with vulnerabilities that could interfere with the safe operation of the device. If this is what the staff intended, it should be clearly spelled out in the definition subsection of the bill.

My second concern is that the bill only covers cybersecurity issues with new ‘premarket submissions’. I understand concerns related to ex post facto rulemaking, but something needs to be done about the hundreds (thousands? I’m not sure) of existing FDA approved devices that have no cybersecurity requirements. I would add a new §2(e):

“(e) The Director of the Food and Drug Administration will work with manufacturers of existing approved cyber devices to ensure that those manufacturers can document substantial compliance with the new requirements under §524B added by this bill. Two years after this bill is approved, the Director will publish on the Administration’s web site a list of existing approved cyber devices which have not yet documented substantial compliance with these provisions.”

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7084-introduced - subscription require.

No comments:

 
/* Use this with templates/template-twocol.html */