Skip to Content

Protecting Patients from Hackers Targeting Medical Devices


We carry medical devices in and on our bodies. The PATCH Act will keep us safe from hackers that would exploit them.

Published Aug 30, 2022 • by AHIP

As technology advances, innovative medical devices are becoming more of a part of patients’ everyday lives. Many of us have pacemakers or knee replacements that can be monitored from afar by our cardiologist or orthopedist. Diabetic glucose testing can be done with the help of an app. Breathing and monitoring devices can help new parents of medically fragile children. And virtual reality is being used to treat a wide range of mental health conditions.

These devices not only improve patients’ health care, but also their lives by giving them more freedom. But with such technology-based innovation and widespread use come new forms of security and privacy risk. That is why AHIP supports the “Protecting and Transforming Cyber Health Care Act of 2022” (the PATCH Act, H.R. 7084 and S. 3983).

No longer found only in health care venues such as physician offices and hospitals, implantable and wearable devices follow patients wherever they go – whether at home, the gym, the office, or on the road. And they are often enabled so that they can connect to hospital networks, patient phones, smartwatches, and the internet.

Cyber threats are ever-present through malware, social engineering, wireless connections, and other means. Hackers can gain control of devices, steal data, trick a person into divulging credentials, or breach a hospital network or health technology system. Transparency, built-in safeguards, and diligent monitoring of threats and device weaknesses are necessary to minimize the cybersecurity threat to patients, providers, manufacturers, and other connected entities.

The U.S. Food and Drug Administration (FDA) regulates medical devices, including Software as a Medical Device, and plays a critical role in ensuring the safety of medical devices. The FDA works with several federal government agencies, including the U.S. Department of Homeland Security, medical device manufacturers, health care delivery organizations, and cybersecurity researchers to strengthen and improve cybersecurity. The FDA has broad regulatory authority and issues guidance to assist medical device manufacturers with respect to products with cybersecurity risks before, during, and after the development and release of these devices. The FDA is in the process of updating its guidance to keep pace with potential security risks and new developments in medical devices.

The House and Senate have both introduced versions of the PATCH Act, important legislation that would enhance the FDA’s authority, permitting the agency to assist device manufacturers in reducing cybersecurity risks in their devices. The PATCH Act would apply a patient safety focus to cybersecurity requirements for device manufacturers seeking FDA approval, and it would require device manufacturers to monitor and address post-market vulnerabilities. This legislation is a critical response to the potential vulnerabilities associated with the growing interconnectedness and technical abilities of medical devices.

Bad actors will continue to seek weaknesses in these devices and the data they collect. Patients deserve to know that the device they are wearing or have implanted in their bodies is appropriately protected from cyber threats.

Learn more about health insurance providers’ efforts to safeguard data and technology.