S 3983 Introduced - PATCH Act

Last week, Sen Cassidy (R,LA) introduced S 3983, the PATCH Act. The bill would amend the Federal Food, Drug, and Cosmetic Act by adding a new section dealing with the cybersecurity requirements (including software bill of material requirements) for medical devices. No new funding is authorized by this bill. This bill is almost exactly the same as HR 7084 that was introduced last month in the House.

There are two inconsequential differences. First in §1 the Senate bill only provides the ‘PATCH Act’ as the cite by title instead of the “Protecting and Transforming Cyber Health Care Act of 2022” or the “PATCH Act of 2022” found in the House bill. The second difference is in §2(c). In the Senate bill that subsection reads: “…is amended by adding at the end…”, where the House bill reads “…is amended by inserting after paragraph (j)…”.

Moving Forward

Both Cassidy and his sole cosponsor {Sen Baldwin (D,WI)} are members of the Senate Health, Education, Labor, and Pensions Committee to which this bill was referred for consideration. This means that there should be enough influence to see the bill considered in Committee. I suspect that there will be some opposition from medical device manufacturers to the regulatory aspects of this bill, even though most are already working hard at improving their cybersecurity support capabilities. It is too soon to tell if this opposition will be serious enough to cause legislative opposition to the bill.

Review - HR 7084 Introduced – PATCH Act

Last month, Rep Burgess (R,TX) introduced HR 7084, the Protecting and Transforming Cyber Health Care (PATCH) Act of 2022. The bill would amend the Federal Food, Drug, and Cosmetic Act by adding a new section dealing with the cybersecurity requirements (including software bill of material requirements) for medical devices. No new funding is authorized by this bill.

Moving Forward

Burgess, and his sole cosponsor {Rep Craig (D,MN)}, are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition beyond some pro forma objections from the medical device manufacturing sector. I suspect that this bill would receive substantial bipartisan support.

Commentary

I have two main concerns about this bill. First deals with definitions. There are two terms used in the provisions dealing with updates and patches that are not defined in the bill or current statute:

• Unacceptable vulnerabilities, and

• Critical vulnerabilities.

I would like to think that the first term would be dealing with vulnerabilities related to patient information disclosures and the second would be dealing with vulnerabilities that could interfere with the safe operation of the device. If this is what the staff intended, it should be clearly spelled out in the definition subsection of the bill.

My second concern is that the bill only covers cybersecurity issues with new ‘premarket submissions’. I understand concerns related to ex post facto rulemaking, but something needs to be done about the hundreds (thousands? I’m not sure) of existing FDA approved devices that have no cybersecurity requirements. I would add a new §2(e):

“(e) The Director of the Food and Drug Administration will work with manufacturers of existing approved cyber devices to ensure that those manufacturers can document substantial compliance with the new requirements under §524B added by this bill. Two years after this bill is approved, the Director will publish on the Administration’s web site a list of existing approved cyber devices which have not yet documented substantial compliance with these provisions.”

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7084-introduced - subscription require.

Bills Introduced – 3-15-22

Yesterday, with both the House and Senate in session, there were 42 bills introduced. Three of those bills may receive additional attention in this blog:

HR 7077 To require the United States Fire Administration to conduct on-site investigations of major fires, and for other purposes. Rep. Torres, Ritchie [D-NY-15]

HR 7084 To amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes. ep. Burgess, Michael C. [R-TX-26]

S 3845 A bill to require the United States Fire Administration to conduct on-site investigations of major fires, and for other purposes. Sen. Gillibrand, Kirsten E. [D-NY] 

I will be watching HR 7077 and S 3845 (which are probably companion bills) for language and definitions that would specifically include chemical facilities in the definition of ‘major fires’.