Bill Overview
Title: PATCH Act of 2022
Description: This bill requires premarket applications for cyber devices (i.e., medical devices that include software or connect to the internet) to include information relating to cybersecurity, including plans to monitor for cybersecurity risks and address vulnerabilities through regular product updates.
Sponsors: Rep. Burgess, Michael C. [R-TX-26]
Target Audience
Population: People using internet-connected medical devices worldwide
Estimated Size: 5000000
- The PATCH Act of 2022 affects medical devices that include software or connect to the Internet, which implies the target population includes users and manufacturers of these devices.
- Cybersecurity issues and risks associated with medical devices can impact patients using these devices.
- Healthcare companies and professionals will be impacted as they must adapt to new regulations and ensure compliance, which can transform operations and product management strategies.
- Regulatory bodies will be involved in the implementation of the new cybersecurity standards and will need to ensure manufacturers comply with these requirements.
Reasoning
- The target population is people utilizing internet-connected medical devices in the US, estimated at 5,000,000 individuals.
- The PATCH Act affects device manufacturers, healthcare providers, and patients who rely on these devices.
- Cybersecurity enhancements are expected to improve patient safety, potentially increasing wellbeing by alleviating concerns over security risks.
- Costs and operational impacts on manufacturers and healthcare providers may initially affect availability and the cost of devices.
Simulated Interviews
Retired teacher (Florida)
Age: 67 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 3/20
Statement of Opinion:
- I feel uneasy about my medical data being vulnerable to hacking, but I appreciate efforts to address this issue.
- I hope this policy makes these devices safer without making them too expensive or difficult to use.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 5 |
Healthcare IT consultant (California)
Age: 45 | Gender: male
Wellbeing Before Policy: 8
Duration of Impact: 20.0 years
Commonness: 2/20
Statement of Opinion:
- This policy will encourage manufacturers to take cybersecurity more seriously, which is long overdue.
- It might temporarily increase costs, but the long-term benefits for user safety are worth it.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 8 | 7 |
| Year 3 | 9 | 7 |
| Year 5 | 9 | 7 |
| Year 10 | 9 | 6 |
| Year 20 | 8 | 6 |
Medical device engineer (New York)
Age: 30 | Gender: other
Wellbeing Before Policy: 9
Duration of Impact: 20.0 years
Commonness: 2/20
Statement of Opinion:
- The PATCH Act enforces what should already be a given in the industry: robust cybersecurity.
- While initially costly, these requirements will push innovation and improve trust in our devices.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 9 | 9 |
| Year 2 | 9 | 9 |
| Year 3 | 10 | 8 |
| Year 5 | 10 | 8 |
| Year 10 | 10 | 7 |
| Year 20 | 9 | 7 |
Endocrinologist (Texas)
Age: 50 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 15.0 years
Commonness: 4/20
Statement of Opinion:
- Ensuring device security through careful policy will enhance patient trust.
- However, the industry might struggle with compliance timelines and costs, affecting device availability.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 5 |
Athlete (Minnesota)
Age: 28 | Gender: male
Wellbeing Before Policy: 8
Duration of Impact: 5.0 years
Commonness: 5/20
Statement of Opinion:
- I appreciate the focus on cybersecurity, ensuring my data remains confidential.
- I hope that the policy will not delay innovations or make devices prohibitively costly.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 8 | 8 |
| Year 3 | 8 | 8 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 6 |
Small business owner (Ohio)
Age: 60 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 10.0 years
Commonness: 3/20
Statement of Opinion:
- I understand the need for improved cybersecurity but worry about additional costs passed to consumers.
- Safeguarding personal data is crucial, yet the healthcare system is already a heavy financial burden.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 5 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 6 | 5 |
| Year 10 | 6 | 5 |
| Year 20 | 5 | 4 |
Retired engineer (Illinois)
Age: 72 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 15.0 years
Commonness: 3/20
Statement of Opinion:
- I'm relieved that measures are being taken to improve security on these devices.
- I hope this doesn't become another reason for price hikes or limited access.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 5 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 4 |
| Year 20 | 7 | 4 |
Cybersecurity analyst (Virginia)
Age: 39 | Gender: female
Wellbeing Before Policy: 9
Duration of Impact: 20.0 years
Commonness: 2/20
Statement of Opinion:
- The PATCH Act should serve as a baseline for better securing life-critical devices.
- While not ideal, the anticipated bi-annual updates could substantially reduce vulnerabilities.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 9 | 9 |
| Year 2 | 9 | 8 |
| Year 3 | 10 | 8 |
| Year 5 | 10 | 7 |
| Year 10 | 10 | 6 |
| Year 20 | 9 | 6 |
Medical device sales representative (Oregon)
Age: 55 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 3/20
Statement of Opinion:
- Security is a selling point for our products; this act brings a competitive advantage if handled well.
- The upfront costs are challenging, but our reputation benefits significantly.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 5 |
Nurse practitioner (Colorado)
Age: 34 | Gender: other
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 4/20
Statement of Opinion:
- Integrating secure practices helps in fostering patient trust.
- Training and adapting to new standards could face initial hurdles, but overall this is a win for patient care.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 9 | 5 |
| Year 20 | 8 | 5 |
Cost Estimates
Year 1: $50000000 (Low: $40000000, High: $60000000)
Year 2: $45000000 (Low: $35000000, High: $55000000)
Year 3: $45000000 (Low: $35000000, High: $55000000)
Year 5: $40000000 (Low: $30000000, High: $50000000)
Year 10: $35000000 (Low: $25000000, High: $45000000)
Year 100: $10000000 (Low: $5000000, High: $15000000)
Key Considerations
- Ensuring compliance with cybersecurity standards might require significant upfront costs for device manufacturers.
- Long-term savings from improved cybersecurity could outweigh short-term costs but are difficult to quantify exactly.
- The legislative environment will require continual updates as cybersecurity threats evolve.