The House Energy and Commerce Committee is giving the Department of Health and Human Services until no later than Dec. 15 to come up with an action plan for creating “bills of materials” to enhance cybersecurity for healthcare technologies.
Creating a BOM for each component of a medical technology, including hardware and software, was among the six recommendations in the 2017 report from the Health Care Industry Cybersecurity Task Force established by HHS in 2016 per the Cybersecurity Act of 2015.
In a Nov. 16 letter to HHS, the lawmakers pointed to recent cyber attacks that highlighted the vulnerabilities and unpreparedness of the healthcare sector to “increasingly sophisticated and rapidly evolving cyber threats.”
The lack of information about the various components of the technologies forced stakeholders to “take less targeted, and thus less effective, remediation steps, or to contact the manufacturers individually to try and obtain the missing information,” the committee wrote.
As examples of known risks, they cited the vulnerabilities found in St. Jude Medical’s (now Abbott’s) implantable cardiac pacemakers and Merlin@home transmitter that were flagged by the FDA and the Department of Homeland Security earlier this year.