Last week, the Chairman on the House of Representatives’ Committee on Energy and Commerce, Greg Walden (R-OR), sent a formal letter to the Dept. of Health and Human Services (“HHS”) requesting that HHS “develop a plan of action for creating, deploying, and leveraging [bill of materials] for health care technologies.” Walden gave HHS until December 15th to respond with a plan of action. This development is important for hospitals and other health care organizations because it could indicate that HHS may begin to prioritize examining (and/or enforcing existing requirements, such as the HIPAA risk analysis provisions in 45 C.F.R. § 164.308(a)(1)), related to the formal processes in which such organizations engage to identify and mitigate potential risks and vulnerabilities.
A bill of materials (“BOM”) is a list of each component, including software components, and any known risks associated with a component of a piece of medical technology. The idea behind the request is that a BOM could potentially provide visibility on cybersecurity risks for health care organizations that use such technologies. Healthcare organizations, such as hospitals, may then use the BOM to assess and mitigate their own cybersecurity risks.
Citing many recent cybersecurity attacks against both hospitals and medical devices, Walden stated that it is important to elevate “the security posture of health care organizations,” by providing visibility into the products and systems the organization uses. Walden also pointed to similar recommendations made in the recent Health Care Industry Cybersecurity Task Force report and concerns raised by the WannaCry and NotPetya ransomware attacks (both of which we have covered extensively in the past – click here, here and here). Health care organizations will use this increased visibility to “assess their levels of risk and adjust their [cybersecurity risk management] strategies appropriately.” Health care organizations would then use the BOM to assess the risk of medical devices and other pieces of technology on their networks and implement any necessary mitigation strategies.
The natural outcome of greater transparency into risks is the impetus to mitigate the risks. This is important for hospitals and other health care organizations to keep in mind as the outcome of Walden’s request moves through HHS and its related agencies. Medical device manufacturers must already perform systematic risk management activities and keep records of the components that are used in their devices. “Covered Entities” and “Business Associates” subject to the HIPAA Security Rule must likewise conduct risk analyses and periodic evaluations of security efforts (see, for example, 45 C.F.R. §§ 164.308(a)(1) & 164.308(a)(8)). However, managing cybersecurity risks inherent in the interactions between medical devices, the resident IT systems, and operators could prove to be a larger task for health care organizations.