- Two state representatives introduced a medical device cybersecurity bill this week that focuses on centralizing current and relevant frameworks, guidelines, and standards for Internet of Medical Things (IoMT) devices.
There must be collaboration between public and private stakeholders, Rep. Dave Trott and Rep. Susan Brooks explained. The Internet of Medical Things Resilience Partnership Act will help identify security gaps and find “actionable solutions while providing a framework for IoMT developers for which to reference,” according to a statement from the duo.
The bill calls for the Food and Drug Administration (FDA) and NIST to “establish a working group of public and private entities to develop recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the United States that store, receive, access, or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm.”
The group will submit a report to Congress within 18 months, with recommendations on the following areas:
- Identified existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to mitigate device vulnerabilities
- Identified existing and developing international and domestic cybersecurity standards, guidelines, frameworks, and best practices that mitigate vulnerabilities in such devices
- Specified high-priority gaps for which new or revised standards are needed
- Identified potential action plans by which such gaps can be addressed.
“There are millions of medical devices susceptible to cyber-attacks and often times, we are wearing these networked technologies or even have them imbedded in our bodies,” Brooks stated. “Bad actors are not only looking to access sensitive information, but they are also trying to manipulate device functionality. This can lead to life-threatening cyber-attacks on devices ranging from monitors and infusion pumps, to ventilators and radiological technologies.”
She added that the need for cybersecurity guidelines that will prevent potential attacks grows stronger as the number of connected medical devices increases. Companies and consumers need a framework to ensure devices and health data remain protected.
“In our nation’s hospitals, technology has helped provide better quality and more efficient health care, but the perpetual evolution of technology – its greatest strength – is also its greatest vulnerability,” Trott said. “Since 2009, the health care data of over 127 million Americans has been compromised by cyber criminals, and existing security frameworks continue to leave this information vulnerable by failing to adapt to technological innovation.”
Connecticut Senator Richard Blumenthal introduced medical device cybersecurity legislation in August 2017 that also aimed to protect individuals’ medical information.
Blumenthal’s S. 1656 would create a cyber report card for devices and require that testing be performed before devices are sold, which he said would increase medical device cybersecurity transparency.
“My bill will strengthen the entire health care network against the ubiquitous threat of cyberattacks,” Blumenthal said in a statement. “Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”
The legislation would also strengthen medical device remote access protections in and outside of hospitals and ensure that cybersecurity fixes not require FDA recertification.
Guidance and recommendations for end-of-life devices would be necessary under the bill, as well as secure disposal and recycling instructions. The DHS Computer Emergency Readiness Team (ICS-CERT) responsibilities would also be expanded to include the cybersecurity of medical devices.
The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) both supported Blumenthal’s bill, saying the potential risk posed to patients from unsecured medical devices is a top priority.
“We appreciate Senator Blumenthal’s leadership and interest in this complicated issue as providers try to ensure that patients get the benefits that medical devices offer without exposing them to potential safety risks,” CHIME Board Chair Liz Johnson said in a statement. “CHIME is pleased to endorse this legislation. We look forward to continuing a dialogue with members of Congress, the administration and industry partners on this critical issue.”