A new bill recently introduced in the House aims to improve medical devices security. This is the second time this year that members of Congress have created a bill specifically targeted at medical device cybersecurity.
The Medical Device Cybersecurity Act of 2017 was announced in July to better protect sensitive patient information and to create stronger cybersecurity protections for connected devices.
Now, the newest bill, the Internet of Medical Things Resilience Partnership Act, has just been introduced. It proposes that federal regulators work with healthcare providers and insurers, as well as technology firms, to recommend voluntary frameworks and guidelines that will improve the security of medical devices.
The framework and guidelines would be established by a new working group to be formed by members from the Food and Drug Administration and the National Institute of Standards and Technology. Its mission would be to develop "recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the US that store, receive, access or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm."
One of the bill’s authors, Indiana Congresswoman Susan Brooks, says:
...bad actors are not only looking to access sensitive information, but they are also trying to manipulate device functionality and that this can lead to life-threatening cyber-attacks on devices ranging from monitors and infusion pumps, to ventilators and radiological technologies."
Brooks also points out that,
As the number of connected medical devices continue to grow, so does the urgency to establish guidelines for how to prevent these kinds of dangerous attacks.”
Medical Device Attacks Increasing
That another bill has been proposed to safeguard medical devices comes as no surprise. The number of medical devices hacked in the past several years has skyrocketed. According to provider data reported to the Department of Health and Human Services, more than 113 million personal health records were compromised in 2015 – nine times as many hacks in 2014.
Last year, medical device giant Johnson & Johnson disclosed that its insulin pumps had a security vulnerability that hackers could use to access the device and cause a potentially fatal overdose of insulin. The Animas OneTouch Ping’s wireless controller was what made it vulnerable and it’s those wireless connections which can be an easy access point for hackers. While the probability of an attack was low, Johnson & Johnson had to notify 114,000 patients in the US and Canada about the possibility of unauthorized access to the product.
And then in May of this year, the powerful WannaCry ransomware attack affected not only hospitals in the US and the UK, but according to Forbes Magazine, a Bayer Medrad radiology device was hacked. Fortunately, only two customers were affected and the device’s operation was restored within 24 hours.
Pain Points
There are many drivers for security in the medical device space. The major themes are around, but not limited, to:
- privacy of data, which largely stems from the IT side;
- devices as attack vectors to get into higher value systems or assets on the network; and
- compromise of devices to create physical harm or operational disruption to the healthcare environment.
Senator Brooks’ statement accurately reflects this multi-dimension nature of the risks, which is an encouraging perspective on the genesis of the bill. Recommendations and consensus in a framework is a good starting point, however the urgency of adoption may need legislative incentives behind it, such as fines/penalties for non-compliance.
Aside from legislation, healthcare buyers can help move the industry forward and also protect themselves by mandating compliance in request for proposals. However, standardization, testing and certification bodies will need to get involved to enable proper certification of medical devices.
The proposed working group composition of the Food and Drug Administration and the National Institute of Standards and Technology seems appropriate and covers a wide range of relevant perspectives.
Often, output from these guidance documents is too “fluffy” and leaves much room for interpretation and assessment of specific technical approaches. This will be compounded by the fact that some stakeholders involved have interests in line with reducing their costs of complying with the framework.
We must start somewhere, so anything in this realm is good, but it does indicate that consensus and enforcement of best practices are not on the horizon, at least for another year.
If you have any thoughts or questions on this topic that you'd like to share with us, please use the comments below or contact us on Twitter.