Preparing for the PATCH Act and RTA

The Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act) comes into force on October 1, 2023. The Act strengthens cybersecurity requirements for medical device pre-market submissions and post-market surveillance. Companies must develop a product monitoring plan, cyber-anomaly response plan, coordinated messaging of cyber vulnerabilities, Software Bill of Materials (SBOM) and demonstrate the ability to release critical vulnerability patches ‘as soon as possible.’

In accordance with the Patch Act, the FDA announced that it may Refuse to Accept (RTA) premarket submissions that do not meet these requirements, beginning on October 1, 2023.

To learn more about the challenges medtech manufacturers and developers face in meeting these new requirements, we spoke with Erez Kaminski, former head of AI with Amgen and founder of  Ketryx, an MIT-funded startup with an AI developer tool that helps safety-critical, medtech software teams develop safer software, and Paul Jones, Executive Vice President of Ketryx, and former FDA official who contributed to the development of IEC 62304 and founded the FDA’s software engineering lab.