Bill Proposes Bolstering Medical Device CybersecurityLegislation Would Require Device 'Cyber Report Cards'
Proposed legislation introduced into the Senate aims to help bolster the security of medical devices, including creating a report card that provides transparency about a device's "cyber capabilities," such as results from cyber risk assessments and testing.
The Medical Device Cybersecurity Act of 2017 introduced on Aug 1. by Sen. Richard Blumenthal, D-Conn. would amend the Federal Food, Drug, and Cosmetic Act "to provide cybersecurity protections for medical devices," a text of the proposed bill says.
"The security of medical devices is in critical condition," Blumenthal said in a statement. "My bill will strengthen the entire healthcare network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans' health and confidential personal information at risk."
The legislation aims to "enhance medical device cybersecurity by requiring greater transparency of cyber defenses; securing and encrypting remote access connections; streamlining the process for cyber patches and upgrade; and establishing a cyber emergency response team," an overview of the legislation explains.
One of the bill's provisions also calls upon the Department of Homeland Security - in coordination with industry stakeholders - to create a "report card" that describe a device's cyber capabilities, includes results from cyber risk assessments; mandates cyber testing prior to sale; and provides guidance for a product's secure use.
"The report card allows apples-to-apples comparisons between devices," the proposal says.
In addition, among the bill's other proposals are:
- Bolstering remote access protections for medical devices in and outside of the hospital. That includes requiring manufacturers to obtain consent from healthcare providers prior to remotely accessing a medical device; mandating that remote access connections be encrypted; adhering to the National Institute for Standards and Technology security standards; and that medical device access be logged for audit.
- Affirming that medical device cybersecurity patches and updates are free from vendors and do not require FDA device recertification.
- Soliciting guidance from device manufacturers on how to establish compensating controls for products that stay in operation past the date on which the vendor stops providing cybersecurity fixes, and how to securely recycle and dispose of devices after their lifespan.
- Expanding the DHS Industrial Control Systems Cyber Emergency Response Team's responsibilities to include response and investigation of cybersecurity incidents in medical devices.
Shining a Spotlight
Some medical device cybersecurity experts say that while not all the proposals are perfect - and some are redundant to industry efforts already underway - the bill is generally helpful in spotlighting critical issues concerning cybersecurity of medical devices.
"Transparency is key. Medical device [makers] must design security in rather than bolt it on after that fact," says Kevin Fu, chief scientist of cybersecurity firm Virta Labs and director of the Archimedes Center for Medical Device Security at the University of Michigan.
Fu adds that he's supportive of Blumenthal proposing "to do the right thing to improve medical device cybersecurity so that our hospitals and national healthcare infrastructure will function safely despite unavoidable cybersecurity threats."
Dale Nordenberg, executive director of the Medical Device Innovation, Safety and Security consortium, says he also "applauds" the bill and the additional attention it potentially brings to medical device cybersecurity issues. However, he notes that there appear to be "gaps" in the proposal.
For instance, while Blumenthal's statement about the bill appears to focus on the risk of patient data privacy posed by poor medical device security, the legislation doesn't acknowledge the potential risks to patient safety that are also posed by cyberattacks involving medical devices, he says.
In addition, the proposed legislation doesn't appear to acknowledge work already being done - including Food and Drug Administration cyber guidance and information sharing activities related to device vulnerabilities by organizations such as MDISS and the National Health Information Sharing and Analysis Center, Nordenberg notes.
"It doesn't recognize that a lot of this work has been going on the last eight years, including by FDA, MDISS and NH-ISAC, healthcare systems and medical device manufacturers," he says.
For example, MDISS, under a $1.8 million contract from the DHS, has built a medical device cyber risk assessment platform, or 'MDRAP' that assists health systems, device manufacturers, and technology firms to collaborate and share device risk assessments.
"Medical device cybersecurity is a public health challenge and needs to be treated as such," says Nordenberg, who was formerly CIO of the Centers for Disease Control and Prevention.
"Every single month there are medical device vulnerabilities that are found that can be hacked. But every drug can also make you sick. There's a disconnect between technical vulnerabilities and keeping the population safe. It's important to use best practices to render these products safe," he says.
"Public health professionals know how to assess exposure to risk and intervene, he says. That should hold true with how medical device cybersecurity is approached."
Joshua Corman, founder of grassroots cybersecurity advocacy group, I Am The Cavalry, and director of the Cyber Statecraft Initiative at the Atlantic Council, also notes that some of the bill's proposals appear to cover ground that's being addressed by various stakeholders. That includes the FDA repeatedly telling the medical device industry that patches to fix security vulnerabilities in their products do not require FDA review.
Corman also notes that I am the Cavalry in 2016 issued a Hippocratic Oath for Connected Medical Devices containing five key principals, including that the medical device ecosystem should support "prompt, agile, and secure updates."
But Corman says Blumenthal's proposed legislation could also provide an opportunity for the Senate to tap work by the Department of Health and Human Service's cyber task force, of which Corman is a member. The task force earlier this year issued a report with recommendations for how the healthcare sector can improve its cybersecurity, including suggestions related to medical devices.
"I'd like to see how this legislation might build off of work done by the cyber task force," Corman says.
ICS-CERT and Medical Devices
Billy Rios, a researcher and ethical hacker who focuses on medical device cybersecurity, says he particularly likes the bill's proposal that requires security testing before medical devices are released to the public.
"I've certainly seen medical devices that have been released without any testing," he says. He notes that a recent study by research firm Ponemon Institute found that only 51 percent of medical device manufacturers and 44 percent of healthcare delivery organizations follow current FDA guidance to mitigate or reduce inherent security risks in medical devices.
"If the bill increases the number of organizations doing testing, it'll improve the overall cyber security hygiene of the ecosystem," Rios says.
Additionally, Rios says he supports the bill's proposal "to formally recognize" DHS ICS-CERT as a key player in dealing with medical device vulnerabilities coordination. "ICS-CERT has been instrumental in all the medical device vulnerability disclosures that I've been involved with. The folks at DHS do a lot of behind the scenes work. One of the medical device vulnerability disclosures I've worked on took over two years of coordination with the vendor. DHS was there shepherding the processes from start to finish," he says.
However, one thing missing from the proposals is mention of any penalties," Rios says. "If we're going to propose requirements, there must be some penalties for those organizations that ignore the requirements. We already have formal guidance from the FDA, but only about half of the medical device manufacturers are actually following the guidance."