Soichiro,
The PATCH act is the name of the bill that was introduced in congress to give FDA authority to request cybersecurity related documentation in premarket submissions. This was passed at the end of 2022 as part of the consolidated appropriations bill, and went into effect on March 29, 2023. The act amended section 524B of the FD&C act to require Medical device manufacturers to demonstrate in their submissions that the devices are designed with cybersecurity provisions, they are designed to be maintainable and patchable, and have an SBOM. Also, the devices need to have undergone cybersecurity risk management (including threat modeling) and have a patch management plan.
Pursuant to this, FDA published two guidance documents - 1. RTA policy for submissions that did not meet the minimum requirements of the act, which went into effect October 1; and 2. finalized the premarket cybersecurity guidance.
So the impact of the act is that every premarket submission (including changes to existing devices that trigger a new submission) to FDA needs to comply with the section 524B requirements - and it is FDA's thinking that compliance with the FDA premarket security guidance meets the requirements of section 524B.
Below is a link the two guidance documents. Hope this helps!
1. https://www.federalregister.gov/documents/2023/03/30/2023-06646/cybersecurity-in-medical-devices-refuse-to-accept-policy-for-cyber-devices-and-related-systems-under
2. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
------------------------------
Manan Hathi RAC
Sr. Manager, Regulatory Affairs - Software
Flower Mound TX
United States
------------------------------
Original Message:
Sent: 08-Nov-2023 21:41
From: Soichiro Iida
Subject: What is the PATCH Act?
Dear All,
I have recently learned that the Protecting and Transforming Cyber Healthcare Act (PATCH Act) have implemented on 1st of October.
Could anyone advise where the link to this act is?
Also, it would be appreciated if you can let us know a good web-site which introduce the overview of the Act.
I know the FDA have released some cybersecurity related guidance and they might be related to the Act but I would like to know what is the implication of the Act.
------------------------------
Soichiro Iida
Kyoto
Japan
------------------------------