The House Committee on Energy and Commerce is calling on HHS to act promptly on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force.
In a letter, Chair of the House Committee on Energy and Commerce Greg Walden (D-Or), explained, “The existence of insecure or outdated protocols and operating systems within medical technologies is a reality of modern medicine," he wrote. "At the same time, however, this leaves healthcare organizations vulnerable to increasingly sophisticated and rapidly evolving cyber threats.”
That task force was formed as required by the 2015 Cybersecurity Act passed by Congress to help identify and address the unique challenges of securing data and information against cyber-attacks faced by the healthcare industry.
In passing the act, Congress noted that while healthcare organizations are increasing expenditures on technologies to prevent cyber-attacks, medical devices remain a major weak point and could easily be exploited by cybercriminals to gain access to healthcare networks and data.
Earlier this year, the Cybersecurity Task Force published its review and recommendations for medical device security that included 6 imperatives:
- Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity
- Increase the security and resilience of medical devices and health IT
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
- Increase healthcare industry readiness through improved cybersecurity awareness and education
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure
- Improve information sharing of industry threats, risks, and mitigations
Among the recommendations for medical device technologies is a call for manufacturers to provide a Bill of Materials for devices that would allow healthcare organizations to make security decisions and identify vulnerabilities.
In the letter, Walden pointed to the NotPetya and WannaCry ransomware attacks that exploited a vulnerability in Windows Server Message Block (SMBv1), that left healthcare organizations scrambling to determine which technologies were using or leveraging SMBv1.
Such a Bill of Materials for electronic devices could require a list of components used on the printed wiring board or printed circuit board as well as the open source and commercial software and firmware used.
Other action items called for in the Task Force report included calling on healthcare accreditation organizations, such as the Joint Commission, to consider incentives, requirements and/or guidelines for use of unsupported system and mitigation strategies, real-time updates and patches and phasing out legacy and insecure healthcare technologies.
The complete Healthcare Industry Cybersecurity Task Force report is available here. If you are a medical device maker looking for an advisory partner, Kapstone Medical is well versed in regulatory planning, 510(k) submissions, CE Mark and quality systems development.