Newly Introduced PATCH Act Seeks to Secure IoT in Healthcare
Recent years have proven that there is a prominent place for IoT in healthcare. With Mordor Intelligence projecting a valuation of $89.6 billion by 2026 (a CAGR of 11.6% from 2021), it’s clear that the powers that be have recognized the potential for IoT solutions to improve the world’s healthcare providers.
Unfortunately, with these new devices have also come new opportunities for bad actors to illegally access sensitive data and equipment. A 2019 study suggested that 82% of healthcare organizations had experienced cyberattacks that stemmed from improperly secured IoT devices, and more recent news suggests that this trend is continuing.
To help curb these incursions, many legislative bodies have begun introducing new laws and guidelines meant to help shore up the defense of IoT devices. To this end, a bipartisan group of senators has introduced a new bill that would go a long way toward making IoT in healthcare more secure.
What is the PATCH Act?
Jointly introduced by Sens. Tammy Baldwin (D-Wis) and Dr. Bill Cassidy (R-LA), the Protecting and Transforming Cyber Health Care (or PATCH) Act aims to improve the security of medical IoT devices before they even hit the market. The bill seeks to amend the Food, Drug, and Cosmetic Act by requiring any premarket submission for “a cyber device” to present a “reasonable assurance of safety and effectiveness throughout [its] lifecycle.”
To accomplish this, the PATCH act will require manufacturers to design, develop, and maintain procedures that ensure regular support, updates, and patches throughout a device’s lifecycle. Given that most IoT devices are released without innate security measures and known vulnerabilities, this would go a long way toward improving the security of connected devices.
Another provision would involve manufacturers issuing a Coordinated Vulnerability Disclosure to demonstrate the safety and effectiveness of a device. This would work in concert with the requirement for medical IoT device developers to develop a plan to monitor, identify and address all vulnerabilities even after the device has been sold.
The bill would also see manufacturers create a software bill of materials (SBOM) for every medical IoT device they plan to bring to market. An SBOM is a list of all software components in a device that allows for would-be buyers or operators to better understand any security risks or flaws that may be contained within. The security challenges facing the healthcare industry have inspired many organizations to readily embrace the concept.
More Than One Way To Secure IoT in Healthcare
The PATCH Act is not the only effort being made to secure IoT in healthcare either, as another bipartisan bill, the Healthcare Cybersecurity Act has recently been introduced. Among other things, this legislation would see the Cybersecurity and Infrastructure Security Agency (CISA) partner with the Department of Health and Human Services to address threats to cybersecurity specifically as it pertains to medical devices and facilities.
CISA would then operate as a coordination and educational partner for healthcare providers through information sharing, training, and threat monitoring for public and private healthcare organizations. This would also entail CISA-led research into the best strategies for securing medical devices and records, as well as the potential impacts of an incursion on patient care.
“Health centers save lives and hold a lot of sensitive, personal information. This makes them a prime target for cyber-attacks,” Senator Cassidy said in a press release. “This bill protects patients’ data and public health by strengthening our resilience to cyber warfare.”
IoT in Healthcare Can Present Security issues
Recent years have seen a spike in data attacks targeting healthcare organizations, with IoT devices, in particular, being prime targets. With Forbes estimating that over 646 million IoT devices were deployed in clinics, hospitals, and other medical centers in 2020, a lot of eyes are on the security of these devices.
Since the start of the Covid-19 pandemic, the biggest threat facing medical IoT devices remains the continued evolution of ransomware. Modern healthcare facilities utilize advanced AIs and machine learning technologies to get the most out of their IoT devices, yet more and more hackers are corrupting these systems to seize control of devices, issue DDOS attacks, or steal private data. Ransomware like RYUK, which uses phishing tactics to infect systems before encrypting specific files gathered via AI algorithms, has contributed an estimated $67 million in additional costs to the healthcare industry in 2021 alone.
Healthcare facilities are typically reliant upon centralized networks that allow them to create customized digital infrastructures to support their complex web of equipment, including medical IoT devices. These enclosed environments may limit the access of outside sources, but also creates a contained environment from which hackers can gain access to sensitive data. Once inside, their attacks can reach across geographic boundaries to other facilities within a hospital system, and most organizations would rather pay costly ransoms than risk loss of services.
Investment In Security Is Vital to the Growth of IoT in Healthcare
By addressing cybersecurity at the manufacturer level, the PATCH Act hopes to put minds at ease when it comes to their healthcare providers and rejuvenate the adoption and innovation of new medical IoT Devices.
“New medical technologies have incredible potential to improve health and quality of life,” said Senator Cassidy. “If Americans cannot rely on their personal information being protected, this potential will never be met.”
Though the targeting of healthcare facilities and devices will likely continue to evolve in the near future, many organizations are looking to shore up their defenses. A new report from Meticulous Research suggests that the global IoT security market could reach a valuation of $59.16 billion by 2029, with the healthcare sector identified as one of the key adopters.
Of course, securing an IoT deployment involves more than just common sense security measures for its devices. A robust security strategy involves private networking solutions, such as Soracom Door or Canal; network monitoring capabilities, such as those provided by Soracom Junction; and secure certificate provisioning, like that provided by Soracom Krypton. It may also involve multiple connectivity solutions, as cellular connectivity is typically much more secure than WiFI.
Do you have questions about an IoT project? Speak with one of our experts today to learn how Soracom has helped more than 20,000 innovators deploy, scale, and secure their IoT projects.