Senator Richard Blumenthal (D-CT) introduced a bill (S.1656), The Medical Device Cybersecurity Act of 2017 (Bill), on July 27, 2017. The Bill aims to protect patient safety from medical device cyberattacks and improve medical device security by:
- Increasing the transparency of medical device security by creating a cyber report card for devices and mandating product testing prior to sale;
- Bolstering remote access protections for medical devices in and outside of hospitals;
- Ensuring crucial cybersecurity fixes or updates for medical devices remain free and do not require FDA’s prior authorization;
- Providing guidance and recommendations for end-of-life devices, including secure disposal and recycling instructions; and
- Expanding the Department of Homeland Security’s Computer Emergency Readiness Team’s (ICS-CERT) responsibilities to include the cybersecurity of medical devices.
The Bill received immediate support from the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security, both of which represent important stakeholders in the healthcare cybersecurity area.
The Bill itself incorporated several recommendations from the Department of Health and Human Services’ (HHS) Health Care Industry Cybersecurity Task Force report, entitled “Report on Improving Cybersecurity in the Health Care Industry” (Report). The Report, which was submitted to Congress in June of this year, highlighted the challenges for the healthcare industry in the area of cybersecurity and outlined several imperatives. The second imperative is to increase the security and resilience of medical devices and health information technology (IT). The imperative advocates for medical device manufacturers to implement security by design, improve security to access information stored on their medical devices, enhance transparency regarding third party software components used, and assure their abilities to provide IT support during the lifecycle of their medical devices.
The cybersecurity of medical devices is not a new issue for regulators, policymakers, and industry. However, while FDA’s cybersecurity guidance documents already put a fine point on the importance of medical device cybersecurity, the Bill and recent HHS report reinforce the importance that the U.S. government will place on regulating the cybersecurity of medical devices in years to come. We will update you as the Bill progresses.