- The increasing amount of healthcare cybersecurity threats is pushing organizations to utilize numerous technologies to combat potential dangers. It can often be difficult though to have clear visibility into the hardware or software in those technologies, according to the House Committee on Energy and Commerce.
There must be a “bill of materials” (BOM) for each piece of medical technology, which describes the components and potential risks associated with those components, the Committee explained in a letter to HHS Acting Secretary Eric Hargan.
“While the sector’s susceptibility to cyber threats has many causes, a significant and frequent source of risk is due to the fact that many of the technologies leveraged by health care stakeholders are, in essence, ‘black boxes,’” the letter stated. “Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care.”
Citing the recent WannaCry and NotPetya attacks, lawmakers explained that both strains of malware relied on a vulnerability that existed in a widely used protocol, SMBv1. During the outbreaks, organizations had to determine which of their technologies in fact leveraged SMBv1 and then worked to “quarantine” those technologies.
“Because information detailing which pieces of technology contain which protocols is often severely lacking or altogether unavailable, stakeholders were forced to take less targeted, and thus less effective, remediation steps, or to contact the manufacturers individually to try and obtain the missing information,” the Committee said. “For health care organizations that may have thousands of technologies in use, this slow, manual process actively harms their ability to respond to cybersecurity emergencies and thus their ability to protect patients.”
The Health Care Industry Cybersecurity Task Force report recommended that creating a BOM would help healthcare organizations combat the ever-evolving cybersecurity threats. Each piece of medical technology would have one, and it would “describe [the technology’s] components (e.g., equipment, software, open source, materials), as well as any known risks associates with those components,” the Committee said.
This extra visibility would not be “a silver bullet,” the letter acknowledged, but it is an important component for helping healthcare improve its overall approach to cybersecurity.
“The Task Force’s report, post-outbreak analyses of WannaCry and NotPetya, and Committee staff work on health care issues all demonstrate the risks presented by the continued prevalence of insecure and legacy components in health care technologies,” the Committee wrote. “This situation is untenable and elevates the need to explore the Task Force’s recommendation on the creation and deployment of BOMs.”
HHS must convene a sector-wide effort in developing a plan of action for creating, deploying, and leveraging healthcare technology BOMs, the letter stressed. An open and collaborative process will be necessary because it will give stakeholders the opportunity to contribute in finding the “strongest and most effective solution.”
The Committee requested a plan of action “no later than December 15, 2017,” and that HHS staff is made available to provide a briefing by December 22, 2017.
The Task Force report explained that BOMs can “assess the risk of medical devices on [organization’s] networks, confirm components are assessed against the same cybersecurity baseline requirements as the medical device, and implement mitigation strategies when patches are not available.”
Product vendors must be more transparent, the report added. Those companies need to let potential customers know about any issues, and tell potential customers the amount of time remaining for product support during procurement.
“Industry should actively participate in information sharing programs to better recognize and manage cybersecurity vulnerabilities and threats,” the report said. “Industry (e.g., manufacturers, vulnerability finders, etc.) must adopt and engage in coordinated vulnerability disclosure consistent with recognized standards (e.g., ISO/IEC 29147and ISO/IEC 3011144).”