FDAnews
www.fdanews.com/articles/12056-cybersecurity-bill-draws-support-from-stakeholders

Cybersecurity Bill Draws Support From Stakeholders

August 25, 2017

A recently introduced cybersecurity bill for medical devices is attracting some support — at least from the medical community.

The Medical Device Cybersecurity Act of 2017 (S. 1656), introduced last month by Sen. Richard Blumenthal (D-Conn.), aims to address the problem of device manufacturers who “knowingly or unknowingly” sell devices that fail to safeguard patient records and health.

Among other provisions, the bill calls for an annual “cyber report card” for devices and mandated testing prior to sale. The report card would include a cybersecurity risk assessment conducted by the manufacturer or a third party, explaining the risks and clinical hazards.

The cyber report card would include:

  • A description of any cybersecurity evaluation conducted on the device, including any testing of the device, who conducted the evaluation, and the results.
  • An indication of whether the device is capable of being remotely accessed.
  • A description of any manufacturer controls that address known common vulnerabilities.

The WannaCry ransomware attack “shined a bright light on the vulnerabilities in the healthcare sector and more specifically with medical devices,” said Deborah Stevens, chief security officer at Tufts HealthPlan and chairperson of the board at the Association for Executives in Healthcare Information Security, which supports passage the bill.

“Initially, I actually liked the FDA’s approach of building collaboration and allowing manufacturers to develop their own path forward,” said Axel Wirth, technical architect for Symantec Corporation. However, too many manufacturers do not see themselves as security partners to healthcare providers and “think there is still ‘no business case’ in investing in security. So, looking at the entire spectrum, I have to admit that we probably need the legislative pressure in order to move forward.”

Devicemakers are unequipped to develop and maintain appropriate cybersecurity controls for their products, according to the Healthcare Industry Cybersecurity Task Force’s Report on Improving Cybersecurity in the Healthcare Industry. No company within the industry is able to “provide a comprehensive information sharing solution to the entire industry,” the task force found.

The Chertoff Group, a security and risk management advisory firm, noted that “many industry providers are small or medium-sized businesses with little to no cybersecurity expertise or ability to process significant amounts of information,” which means manufacturers would need to outsource their cybersecurity needs in order to meet the requirements of the act. The group projects that the use of connected devices or remote patient monitoring will grow at an annual rate of 47.9 percent.

Read the text of the bill here: www.fdanews.com/08-23-17-CybersecurityBill.pdf. — Donna Scaramastra Gorman