Senate Bill Calls for Cybersecurity ‘Report Card’ on Medical Devices


Posted August 18, 2017

Following a string of high-profile cyberattacks, one U.S. senator thinks it’s time for the government to take a more aggressive role in bolstering the cybersecurity of medical devices, saying that industry itself has failed to adequately address the problem. Earlier this month, Sen. Richard Blumenthal (D-CT) introduced the Medical Device Cybersecurity Act of 2017 (S. 1656), which would require devices to come with a “cyber report card,” among other provisions.

The introduction of this legislation comes on the heels of a report the Department of Health and Human Services presented to Congress in June. In its Report on Improving Cybersecurity in the Healthcare Industry, the 21-member task force concluded that “healthcare cybersecurity is in critical condition”—a condition Blumenthal believes this legislation can reverse.

“My bill will strengthen the entire healthcare network against the ubiquitous threat of cyberattacks,” Blumenthal said in a statement. “Without this legislation, insecure and easily exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”

To mitigate this risk, the Medical Device Cybersecurity Act proposes to:

  • Create a cyber report card for medical devices and mandate testing prior to sale.
  • Bolster remote access protections for medical devices both inside and outside of hospitals.
  • Ensure crucial cybersecurity updates and patches remain free and do not require recertification by the Food and Drug Administration (FDA).
  • Provide guidance and recommendations for end-of-life devices, including secure disposal and recycling instructions.
  • Expand the responsibilities of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to include the cybersecurity of medical devices.

The introduction of this legislation sends several messages to the medical device industry, according to Axel Wirth, distinguished technical architect for Symantec Corporation.

“The obvious one is that the topic of medical device security is getting attention outside the traditional community of regulators, manufacturers, hospitals, and security professionals and is recognized on a political level as a matter of citizen safety and national security,” he said. “I think further, it sends the message that patience is running out, and that after FDA’s lead with their cybersecurity guidance, we are now looking at the potential of legal enforcement.”

A Step in the Right Direction

Based on his experiences in the field, Wirth sees the potential benefits of Congress getting involved.

“Initially, I actually liked the FDA’s approach of building collaboration and allowing manufacturers to develop their own path forward. Many manufacturers actively engaged in the public discussion and took a lead in developing solid security programs,” Wirth said. “However, I have also spoken to too many that are still not seeing the problem or accepting their role as a security partner to healthcare providers and plainly think there is still ‘no business case’ in investing in security. So, looking at the entire spectrum, I have to admit that we probably need the legislative pressure in order to move forward.”

The bill has garnered the support of the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).

“We appreciate Senator Blumenthal’s leadership and interest in this complicated issue as providers try to ensure that patients get the benefits that medical devices offer without exposing them to potential safety risks,” said CHIME Board Chair Liz Johnson in a press release. “CHIME is pleased to endorse this legislation. We look forward to continuing a dialogue with members of Congress, the administration, and industry partners on this critical issue.”

AEHIS Board Chair Deborah Stevens added that recent global ransomware attacks have shown just how vulnerable the healthcare sector is.

“WannaCry and Petya shined a bright light on the vulnerabilities in the healthcare sector and more specifically with medical devices,” said Stevens, who is also chief security officer at Tufts HealthPlan. “On behalf of the AEHIS membership, we applaud Senator Blumenthal for taking on this important issue.”

The Potential for 'Unintended Consequences'

Others are not convinced legislation is the answer. For one member of AAMI’s Wireless Strategy Task Force, the introduction of this bill shows that it’s “too little, too late on our part; too much, too soon on their part.”

“I see all kinds of unintended consequences in this,” he warned. “[Legislators] have a preconceived notion of what a ‘device’ is (presumably they mean a ‘medical device’) with an apparent lack of understanding or appreciation for just how nebulous that term is nowadays. I give them credit for trying, but I'm not convinced it will solve much.”

Others such as Paul R. Sherman, CCE, technical program manager for IHE Patient Care Device, are concerned about the burden this legislation would put on federal regulators if it passes. “It puts more work on the FDA, when they don't have the resources to manage the duties they already have,” he said.

A Tough Road to Passage

The current political environment suggests that Blumenthal’s bill faces an uphill battle toward becoming law: He is a Democrat introducing a bill in a Congress controlled by Republicans and serving under a Republican president. The GOP philosophy has generally been one of reducing government regulations, not adding to them.

According to GovTrack.us, a project of Civic Impulse, LLC that provides updates and statistical analysis of bills introduced by Congress, the Medical Device Cybersecurity Act of 2017 has a 1% chance of being enacted.

Even if it does pass both houses of Congress, simply having this law on the books isn’t going to be enough to fix the problem, according to Wirth.

“Assuming the bill becomes law and manufacturers start to provide more secure devices and develop better processes to maintain the security of their devices in the field, we still need to make sure that the hospitals follow their security recommendations and, for example, implement secure architecture and deploy patches in a timely manner,” he said. “Compare it to the seatbelt laws―they mandate that car manufacturers provide seat belts in all cars sold in the U.S. but also require that I, as a driver, actually use the seat belt.”