Bill Proposes Medical Device Cyber Framework, GuidelinesSome Experts Question Whether a Voluntary Approach Is Strong Enough
A bill introduced in the House proposes that federal regulators work with healthcare providers and insurers as well as technology firms to recommend "voluntary frameworks and guidelines" to improve the cybersecurity of medical devices.
The Internet of Medical Things Resilience Partnership Act, recently introduced by Dave Trott, R-Mich. and Susan Brooks., R-Ind. proposes that the Food and Drug Administration work with the National Institute of Standards and Technology to establish a working group. The group would develop "recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the U.S. that store, receive, access or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm."
In a statement about why the bill is needed, Rep. Brooks says: "Bad actors are not only looking to access sensitive information, but they are also trying to manipulate device functionality. This can lead to life-threatening cyberattacks on devices ranging from monitors and infusion pumps, to ventilators and radiological technologies."
Some security experts say that although the legislative proposal spotlights important issues, it also raises questions about whether a cybersecurity framework for medical devices should build on previous efforts and whether adoption of such a framework should be mandatory.
The proposed working group "should make a list of what 'must' be done versus what 'should' be done," argues Joshua Corman, a fellow at the Atlantic Council and chief security officer at software developer PTC. "There's patient safety as stake."
Medical Device Recommendations?
Besides the FDA and NIST, membership of the working group, as described in the bill, would include representatives of the Office of the National Coordinator for Health IT; the Federal Communication Commission; health IT developers and other technology firms; medical device makers; healthcare providers; and insurers.
The aim is for the working group to make recommendations on several issues, including:
- Existing cybersecurity standards, guidelines, frameworks and best practices that are applicable to mitigate vulnerabilities in medical IoT devices;
- Existing and developing international and domestic cybersecurity standards, guidelines, frameworks, and best practices that mitigate vulnerabilities in such devices;
- High-priority gaps for which new or revised standards are needed;
- Potential action plans by which such gaps can be addressed.
Some security experts says the bill touches upon important security concerns related to medical devices that need to be tackled.
"Over the past couple of years, there has been FDA activity to continue meeting with medical manufacturers to deal with the issue," says Cris Ewell, CISO of Washington state-based UW Medicine. "Having guidelines specific to the medical equipment might help."
Healthcare organizations are dependent on device manufacturers for resolving many security issues, Ewell says. He offers this example: "A recent discovery on a medical device we found RDP [Remote Desk Protocol] open with default credentials on an depreciated OS system with the guidance from the vendor not to install malware protection software, as well as not installing any patches," he says.
"We need to address the issue of information security in relation to the functionality of the device and how the security is baked into the device. We cannot live in the environment where it takes six months to a year to get patches - even if at all. There is a partnership that needs to be developed between the healthcare security community and device manufacturers, which is already started and needs to continue."
Corman of PTC says the NIST framework is a good starting point for discussion about a medical device cybersecurity framework, but that it's not enough. That's because the emphasis of the NIST framework "is around confidentiality of data, not availability and outages that can harm patients," such as ransomware attacks that can potentially impact medical devices as well as hinder access patient records, he notes.
"People make a sincere and historically correct use of the NIST framework, but that alone still misses a lot," he says.
Although the bill proposes "voluntary frameworks and guidelines," Corman contends that it's important to first closely examine what's "required" to improve the cybersecurity of medical devices, and then decide what steps can be considered "voluntary."
In seeking out participants of a working group, members of the Department of Health and Human Services' cyber task force should be considered as candidates, adds Corman, who was a member of that group. The task force earlier this year made a long list of recommendations on how the healthcare sector can improve its cybersecurity, including recommendations related to medical devices, Corman notes. "We dug deep in this. For consistency, the [bill's proposed] working group should build on the prior work of the task force," he says.
Tackling Complex Issues
Former healthcare CIO David Finn, who was also a member of the HHS cyber task force and is now executive vice president at security consulting firm CynergisTek, offers a similar point of view.
"Imperative number two of the task force report is this: Increase the security and resilience of medical devices and health IT. It could not align more closely with the intent of this legislation," he says. "The task force report called for public-private collaboration to address this massive issue. This is a system-of-systems problem. It is complex; it involves millions of legacy devices - many of which cannot even really be secured or supported in the computer and threat environments we operate in today. This is going to take all of us."
Finn stresses, however, that device makers must play a critical role in boosting security. "They will need to step up and work with the government agencies and authorities, with other device makers, with the providers and patients ... with other clinical systems vendors that ingest device data and on down this system-of-systems road," he says.
Finn argues that NIST's Common Security Framework - if "tweaked" - can play a key role if applied to medical devices, so a brand new framework is probably unnecessary.
"We need to formally adopt NIST CSF - like every other critical infrastructure subsector has - and require that it be used," he says. Sharing data among healthcare organizations will prove to be far easier "if we are all speaking the same language," he adds.
Finn points out that NIST has already done some work related to medical devices and mobile apps through its Cybersecurity Centers of Excellence programs and published recommendations.
The FDA and NIST declined to comment on the proposed legislation.