- Connecticut Senator Richard Blumenthal introduced medical device cybersecurity legislation last week in an effort to better protect sensitive patient information and to create stronger cybersecurity protections for connected devices.
The Medical Device Cybersecurity Act of 2017 (S. 1656) has already garnered support from the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).
CHIME Board Chair Liz Johnson explained that networked medical devices posing potential risk to patients is a top CHIME concern.
“We appreciate Senator Blumenthal’s leadership and interest in this complicated issue as providers try to ensure that patients get the benefits that medical devices offer without exposing them to potential safety risks,” said Johnson, who is also CIO of Acute Care Hospitals and Applied Clinical Informatics at Tenet Healthcare. “CHIME is pleased to endorse this legislation. We look forward to continuing a dialogue with members of Congress, the administration and industry partners on this critical issue.”
AEHIS Board Chair Deborah Stevens added that recent large-scale cyberscurity attacks – such as WannaCry ransomware – demonstrate just how important the medical device legislation is to healthcare.
“WannaCry and Petya shined a bright light on the vulnerabilities in the healthcare sector and more specifically with medical devices,” stated Stevens, who is also chief security officer at Tufts HealthPlan. “On behalf of the AEHIS membership we applaud Senator Blumenthal for taking on this important issue.”
Blumenthal explained in a statement that medical device security is in critical condition, adding that the devices often hold large amounts of sensitive patient information. Ransomware attacks and other cybersecurity issues are not likely to decrease. Manufacturers will either knowingly or not knowingly sell vulnerable products that could jeopardize patient data.
“My bill will strengthen the entire health care network against the ubiquitous threat of cyberattacks,” Blumental said. “Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”
S. 1656 will create a cyber report card for devices and require that testing be performed before devices are sold. This will increase medical device cybersecurity transparency.
Blumenthal added that the legislation aims to do the following:
- Bolster remote access protections for medical devices in and outside of the hospital
- Ensure that crucial cybersecurity fixes or updates remain free and do not require FDA recertification
- Provide guidance and recommendations for end-of-life devices, including secure disposal and recycling instructions
- Expand the DHS Computer Emergency Readiness Team (ICS-CERT) responsibilities to include the cybersecurity of medical devices.
Medical device security is increasingly becoming a top healthcare concern, especially as more devices are connected to the internet and to one another. One compromised device could quickly affect numerous others.
The WannaCry ransomware attack was found to have infected medical devices, according to previous HITRUST investigations.
Indicators of Compromise (IOCs) “were identified within the HITRUST Enhanced IOC program well in advance of [the WannaCry] attacks,” the organization explained.
“HITRUST is reaching out to healthcare organizations and trade associations to provide information to detect, prevent and remediate the threat and associated malware,” HITRUST said in an earlier statement. “HITRUST identified the IOCs in advance of last Friday and published them to the HITRUST CTX and has been publishing guidance continuously since Friday, May 12th.”
Patches and software updates are critical data security protections for medical devices and other pieces of technology that providers utilize. Investigations showed that WannaCry targeted Microsoft’s Windows operating system and used the EternalBlue exploit that was allegedly developed by the National Security Agency (NSA).
While Microsoft did release a security update, MS17-010, on March 14, 2017, organizations that had not yet installed the update may have left easier access to their systems.
“Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests,” Microsoft explained in terms of Windows SMB remote code execution vulnerabilities. “An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.”