FDA Patch Act: 1 Year Later in Medical Device Security
Post Summary
The FDA PATCH Act, enacted on March 29, 2023, has transformed medical device cybersecurity by introducing mandatory regulations for manufacturers. This law requires internet-connected medical devices to meet strict cybersecurity standards throughout their lifecycle, addressing medical device security risks that could compromise patient safety or hospital networks. Key takeaways include:
- Premarket Requirements: Manufacturers must submit detailed cybersecurity plans, including a Software Bill of Materials (SBOM), as part of FDA submissions.
- Postmarket Management: Active monitoring, vulnerability disclosures, and timely patches (within 30 days) are now mandatory.
- Lifecycle Security: Devices must remain secure through updates and threat detection systems.
Since the FDA began enforcement on October 1, 2023, there has been a 700% rise in deficiency letters related to cybersecurity. 70% of 510(k) submissions now face additional review due to cybersecurity gaps, highlighting the challenges manufacturers face in meeting these new standards. Legacy devices remain a major concern, as the PATCH Act does not apply retroactively, leaving older systems vulnerable.
Tools like Censinet RiskOps™ are helping healthcare organizations streamline compliance by automating risk assessments, managing SBOMs, and benchmarking cybersecurity efforts.
The PATCH Act has reshaped how manufacturers and healthcare providers approach device security, emphasizing continuous monitoring and collaboration to safeguard patient data and healthcare infrastructure.
FDA PATCH Act One-Year Impact: Key Statistics and Compliance Metrics
The Patch Act: Protecting Medical Devices from Cyberattacks
sbb-itb-535baee
Key Requirements of the PATCH Act
The PATCH Act outlines three essential obligations for manufacturers of internet-connected medical devices. These rules apply to all premarket submissions, including 510(k), Premarket Approval (PMA), De Novo, and Humanitarian Device Exemption (HDE) applications [1]. Together, these requirements aim to strengthen cybersecurity throughout a device's lifecycle.
Premarket Cybersecurity Plans
Before devices hit the market, manufacturers are required to submit detailed cybersecurity documentation. This includes a Software Bill of Materials (SBOM), which must account for risk assessments and version tracking of all software components [1][5]. As John Koontz, COO of Ketryx, puts it:
"The requirement to providing an SBOM not only lists code sources but also tracks their versions, vulnerabilities, and risk evaluations."
Additionally, manufacturers must demonstrate their processes for ensuring device security. Since October 1, 2023, all 510(k) submissions must use the eSTAR electronic template. This template includes a cybersecurity section, and submissions lacking this information will face immediate Refuse to Accept (RTA) decisions [1][5].
Postmarket Vulnerability Management
Once devices are on the market, manufacturers must actively monitor and address vulnerabilities within a reasonable timeframe [1]. This includes setting up coordinated vulnerability disclosure (CVD) procedures to communicate security issues to the FDA and healthcare stakeholders [1][5]. Manufacturers are expected to develop targeted patches within 30 days [5].
For example, the FDA has documented cases where:
"Successful exploitation of this vulnerability could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition."
Fortunately, the FDA has not recorded any patient injuries or deaths related to these vulnerabilities [4].
Lifecycle Security Management
The PATCH Act emphasizes Total Product Life Cycle (TPLC) security, requiring manufacturers to integrate protection measures from design through postmarket updates [1][5]. This includes providing regular updates and patches to address critical vulnerabilities [1]. For connected devices, manufacturers are encouraged to use telemetry systems to detect unusual activity before it escalates [5].
The FDA also suggests linking the SBOM to specific test cases, ensuring that identified vulnerabilities don't compromise critical code paths [5]. By embedding cybersecurity into quality system regulations, the PATCH Act shifts the focus from one-time compliance to ongoing responsibility, shaping how the industry approaches cybersecurity moving forward.
One Year Later: Impact on the Medical Device Industry
Compliance Trends and Industry Changes
The shift from voluntary guidelines to mandatory requirements has profoundly altered how manufacturers handle device submissions. Since the FDA began full enforcement on October 1, 2023, the effects have been both measurable and far-reaching. According to Medcrypt, there has been a 700% increase in "Additional Information Needed" (AINN) or major deficiency letters tied to cybersecurity concerns [3]. Even more concerning, 70% of 510(k) submissions now receive AINN requests during their first review cycle following the implementation of these new rules [3].
The FDA's scrutiny has become highly specific, with an average of 15 cybersecurity-related deficiencies listed per letter when issues are identified [3]. These deficiencies often target technical aspects like outdated cryptographic algorithms or incomplete threat models. Naomi Schwartz, VP of Service at Medcrypt, highlighted this shift:
"FDA's review of cybersecurity in premarket submissions has become much more consistent and rigorous." [3]
To keep up, manufacturers are being forced to integrate cybersecurity into every stage of the product lifecycle. Many existing systems can't meet the stricter standards without undergoing costly redesigns [2].
This growing complexity in submissions has also driven a notable change in how the FDA enforces its rules.
FDA Enforcement and Oversight
Over the past year, the FDA has significantly refined its enforcement strategy. After a six-month grace period (March 29, 2023, to October 1, 2023), the agency began fully enforcing Section 524B [3]. Submissions now face "Technical Screening holds" in the eSTAR electronic template system if cybersecurity sections are incomplete or inaccurate [1][3].
The FDA's review process has also become more methodical. Reviewers now use a structured "four-part harmony" approach for deficiencies: they restate the provided information, identify what's missing, explain its importance with references to specific standards, and outline what’s needed for review completion [3]. A common issue flagged in deficiency letters is the lack of robust threat models, often tied to insufficiently trained personnel conducting these assessments [3].
Looking ahead, the FDA appears to be moving toward increased postmarket oversight. Experts predict the agency will issue guidance for inspecting Quality Management Systems to ensure healthcare third-party risk management processes are in place - similar to existing inspections for electromagnetic compatibility [3]. Under Section 518(b), the FDA also has the authority to demand repairs, replacements, or refunds if products fail to meet "state of the art" design standards [3].
This heightened regulatory attention has created challenges across the industry, impacting both manufacturers and healthcare organizations.
Challenges and Varied Responses
The stricter enforcement has highlighted the need for manufacturers to embed cybersecurity into every phase of development. This includes responding to postmarket signals, such as Common Vulnerability Exposures (CVEs) found in Software Bills of Materials (SBOMs), and integrating them into software development processes - a major operational shift [3].
Healthcare organizations face their own hurdles, especially with legacy Internet of Medical Things (IoMT) devices that weren’t built to meet today’s security demands. Troy Ament from CISO Collective explained the financial strain this creates:
"If these new government regulations come through without funding - healthcare providers label these type of rules as 'unfunded mandates' - there's just no way they could absorb the costs and burden alone." [6]
Another challenge is data normalization. When processing SBOMs from various vendors, healthcare providers often deal with inconsistent formats and varying levels of detail [4]. Phil Englert, Director of Medical Device Security at Health-ISAC, offered a solution:
"The key to solving the legacy problem is understanding where the risks reside and incorporating cybersecurity into replacement planning." [2]
For devices that can’t be patched, organizations are turning to strategies like network segmentation and passive monitoring to minimize risks until those systems can be replaced [2]. These measures help mitigate potential damage while bridging the gap between current vulnerabilities and future upgrades.
Cybersecurity Outcomes and Vulnerability Trends
Impact of SBOM Adoption
The adoption of Software Bill of Materials (SBOM), as required by the PATCH Act, is reshaping how vulnerabilities are managed. Instead of relying on outdated manual spreadsheets, many providers now use cloud-based risk exchanges to streamline the sharing of cybersecurity information. For example, Tower Health managed to reduce its workforce dedicated to risk assessments by 33%, dropping from three full-time employees (FTEs) to two, while simultaneously increasing the number of assessments conducted [7]. Terry Grogan, CISO at Tower Health, highlighted the benefits:
"Censinet RiskOps allowed 3 FTEs to go back to their real jobs! Now we do a lot more risk assessments with only 2 FTEs required" [7].
These collaborative platforms now connect over 50,000 vendors and products across the healthcare industry [7]. This vast network enables organizations to quickly pinpoint vulnerabilities at the component level and respond to threats across their entire ecosystem. James Case, VP & CISO at Baptist Health, explained the broader impact:
"Not only did we get rid of spreadsheets, but we have that larger community [of hospitals] to partner and work with" [7].
While these advancements have improved efficiency, they do not fully address the challenges posed by older, legacy systems.
Remaining Risks and Gaps
Despite progress, significant risks remain, particularly with legacy medical devices. The PATCH Act's requirements are not retroactive - they apply only to new premarket submissions after March 29, 2023, or to existing devices undergoing modifications that require new premarket reviews [1]. This leaves a large number of older devices, which often lack modern cybersecurity protections, vulnerable to attacks. Many of these devices remain in use for decades [2].
The scale of the issue is considerable. Medical devices account for a significant share of connected endpoints in healthcare environments, with Internet of Things (IoT) and operational technology making up about 30% of network endpoints [2]. Key risks include unauthorized root access, tampered operating parameters, and lateral movement within networks [2]. Upgrading these systems to meet the FDA's stricter requirements often requires extensive and expensive redesigns [2].
These ongoing vulnerabilities underscore the importance of tracking progress through measurable benchmarks.
Metrics and Reported Improvements
Integrated risk management platforms, enhanced with AI-driven analytics, are helping organizations close operational gaps. These tools allow teams to respond to threats more quickly and handle a higher volume of assessments without needing additional staff [7].
Benchmarking has become a vital strategy for evaluating the maturity of cybersecurity programs across the industry. Brian Sterud, CIO at Faith Regional Health, underscored the value of this approach:
"Benchmarking against industry standards helps us advocate for the right resources and ensures we are leading where it matters" [7].
This peer comparison model equips healthcare leaders with the data they need to justify investments in cybersecurity and pinpoint areas for improvement.
How Censinet RiskOps™ Supports PATCH Act Compliance
Censinet RiskOps™ provides healthcare organizations with a comprehensive solution to meet the FDA's lifecycle security management requirements. It equips healthcare delivery organizations (HDOs) and medical device vendors with tools to manage premarket documentation and postmarket vulnerability tracking effectively.
Efficient Risk Assessments
Censinet RiskOps™ simplifies compliance with the PATCH Act by centralizing third-party and enterprise risk assessments into one platform. This approach enables HDOs and medical device vendors to perform standardized evaluations that align with FDA requirements for premarket cybersecurity documentation and postmarket vulnerability management [8][9].
The platform automates risk assessments, cutting timelines from weeks to days. It also facilitates timely vulnerability disclosures and swift patch deployments. With pre-built FDA-compliant templates and real-time collaboration tools, vendors can quickly address high-risk devices. For instance, case studies highlight that HDOs have achieved 40% faster assessments for connected devices using this platform [10][11].
This efficiency paves the way for advanced, AI-powered risk management strategies.
AI-Powered Patch Risk Management
Censinet RiskOps™ leverages artificial intelligence to analyze patch data and predict deployment risks. Its machine learning models, trained on historical breach data, work alongside Software Bills of Materials (SBOMs) to identify affected components. The system automates workflows to prioritize critical patches, flagging urgent updates for devices like pacemakers while simulating the impact of deployments [9][12].
In one analysis, AI-driven tools examined SBOM data from over 500 devices, uncovering that 20% of unpatched vulnerabilities posed high risks. These tools also generated automated remediation plans with 95% accuracy in risk scoring, reducing the mean time to patch (MTTP) by 30%. This improvement helps organizations meet PATCH Act requirements for monitoring vulnerability trends [11][13]. Additionally, bias detection algorithms and adjustments for factors like device age or vendor reliability ensure accurate predictions, supporting FDA oversight [9][14].
Collaborative Benchmarking for Compliance
Censinet RiskOps™ enhances compliance efforts further through its benchmarking capabilities. The platform offers anonymized benchmarking dashboards that allow organizations to compare their metrics - such as patch deployment rates and vulnerability resolution times - with industry peers and FDA standards. This fosters collaboration by enabling shared risk profiles and joint action plans, helping vendors address premarket gaps together [8][10].
Cybersecurity experts have noted that RiskOps™ improves communication between vendors and HDOs. By enabling real-time risk sharing, the platform has helped reduce unaddressed vulnerabilities by 35% in benchmarked groups [10][13]. This collaborative approach strengthens overall cybersecurity efforts while aligning with FDA expectations.
Conclusion: Lessons Learned and Future Directions
One year after the FDA PATCH Act's full implementation on October 1, 2023, the landscape of medical device cybersecurity has seen a dramatic transformation. The FDA has ramped up enforcement efforts, applying consistent and stringent cybersecurity standards during premarket reviews for all device submissions [3].
This shift has pushed manufacturers to overhaul their security approaches. A key takeaway is the importance of embedding cybersecurity into Quality Management Systems (QMS) and focusing on continuous improvement throughout the software lifecycle. Leveraging postmarket vulnerability data has become critical, though gaps in threat modeling - often due to limited specialized training - still pose challenges [3].
Looking to the future, regulatory requirements are expected to evolve further. The FDA is likely to introduce more detailed documentation standards and place greater emphasis on postmarket enforcement, including inspections of cybersecurity processes and complaint handling systems within QMS [3]. In this evolving environment, tools like Censinet RiskOps™ are becoming essential.
The PATCH Act has reshaped the regulatory framework, granting the FDA clear authority under Section 524B [3]. By adopting platforms like Censinet RiskOps™ for third-party risk management and AI-driven vulnerability monitoring, manufacturers can better adapt to these changes and ensure patient safety in a world where medical devices are increasingly interconnected.
FAQs
Which medical devices are covered by the FDA PATCH Act?
The FDA PATCH Act targets medical devices that rely on software, feature internet or network connectivity (such as USB or Bluetooth), or depend on systems like update servers. This covers a wide array of connected devices that come with built-in cybersecurity concerns.
What qualifies as an “acceptable” SBOM for FDA submissions?
An "acceptable" SBOM for FDA submissions needs to meet specific criteria. It must be machine-readable and include crucial details such as supplier information, component versions, dependencies, lifecycle data, and vulnerability management practices. To align with FDA cybersecurity requirements, the SBOM should adhere to recognized formats like SPDX or CycloneDX, offering sufficient detail to ensure transparency, security, and regulatory compliance.
How can hospitals reduce risk from unpatchable legacy devices?
Hospitals can reduce risks posed by unpatchable legacy devices by using network segmentation to isolate them, ensuring they are separated from critical systems. Conducting regular risk assessments helps identify vulnerabilities and prioritize actions. Collaborating with vendors to obtain security documentation can provide insights into potential threats and mitigation strategies. For long-term safety, hospitals should also plan for device replacement or ensure secure decommissioning of outdated equipment.
