Inside CHIME: Cybersecurity Bill Takes Aim at Vulnerabilities in Medical Devices

Inside CHIME - header

8.3.17
By Leslie Krigstein, VP of Congressional Affairs, CHIME

On July 27, U.S. Senator Richard Blumenthal (D-CT) introduced the Medical Device Cybersecurity Act of 2017, a bill that CHIME supports. The legislation, S.1656, would make the cybersecurity capabilities of medical devices more transparent to providers, clarifies expectations concerning security enhancements and maintenance of medical devices and establishes a cybersecurity emergency response team.

“The security of medical devices is in critical condition,” Blumenthal said in a statement. “My bill will strengthen the entire healthcare network against the ubiquitous threat of cyber attacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”

The bill would amend the Federal Food, Drug, and Cosmetic Act to provide cybersecurity protections for medical devices by:

  • Increasing transparency of medical device security by creating a cyber report card for devices and mandating testing prior to sale;
  • Bolstering remote access protections for medical devices in and outside of the hospital;
  • Ensuring crucial cybersecurity fixes or updates remain free and do not require FDA recertification;
  • Providing guidance and recommendations for end-of-life devices, including secure disposal and recycling instructions; and
  • Expanding the DHS Computer Emergency Readiness Team (ICS-CERT) responsibilities to include the cybersecurity of medical devices.

Both CHIME Board Chair Liz Johnson and AEHIS Board Chair Deborah Stevens voiced support for the bill. Johnson, CIO of Acute Care Hospitals and Applied Clinical Informatics at Tenet Healthcare, noted that cybersecurity remains a top priority for members. Stevens, chief security officer at Tufts Health Plan, pointed to the WannaCry and Petya cyber attacks as proof of the need for such legislation.

The Health Care Industry Cybersecurity Task Force Report delivered to Congress on June 2, 2017, highlighted the critical state of the healthcare industry’s cybersecurity posture. Among many other issues, the report offered a number of suggestions to improve medical device cybersecurity, some of which have been included in the Medical Device Cybersecurity Act of 2017.

We will continue to monitor this bill and provide updates. If you have questions, please contact us at [email protected].

More Inside CHIME Volume 2, No. 16: