Lawmakers introduce bill to beef up medical device cybersecurity with an FDA-led workgroup

A recent hack at a New York Marriott hotel serves as a wake-up call for hotel security teams.
A new bill introduced in the House would require the FDA to establish a working group devoted to medical device cybersecurity.

A new bill co-sponsored by two Republican lawmakers aims to address “life-threatening” cybersecurity vulnerabilities with medical devices by bringing together regulators, manufacturers and providers to develop new device guidelines.

Introduced by Rep. Dave Trott, R-Mich, and Rep. Susan Brooks, R-Ind., the Internet of Medical Things Resilience Partnership Act (PDF) would require the Food and Drug Administration to establish a working group of cybersecurity experts with support from the National Institute of Standards and Technology (NIST) to develop “voluntary frameworks and guidelines” for device cybersecurity.

RELATED: FDA announces firmware update to resolve cybersecurity vulnerabilities in Abbott pacemakers

The group would include representatives from the Office of the National Coordinator for Health IT and the Federal Trade Commission, along with at least 30 representatives from medical device manufacturers, providers, payers and a range of software, hardware and mobile app developers.

“There are millions of medical devices susceptible to cyberattacks and often times, we are wearing these networked technologies or even have them embedded in our bodies,” Brooks said in a release. “Bad actors are not only looking to access sensitive information, but they are also trying to manipulate device functionality. This can lead to life-threatening cyberattacks on devices ranging from monitors and infusion pumps to ventilators and radiological technologies.”

She added that with a growing number of connected medical devices in use, stakeholders need a framework to ensure the proper protections are in place.

Trott noted that the legislation would “develop a robust yet malleable framework to protect Americans’ most sensitive medical information.”

The Advanced Medical Technology Association (AdvaMed) threw its support behind the bill. AdvaMed CEO Scott Whitaker said medical device cybersecurity is a “shared responsibility among all stakeholders.”

“This bill would promote collaboration among FDA, NIST and other affected stakeholders to continue to advance cybersecurity of networked medical devices," he said in a statement. "In addition, the legislation would lead to the identification of existing and developing cybersecurity standards, guidelines, frameworks and best practices."

RELATED: Senate bill takes aim at medical device cybersecurity

The proposed legislation follows several other bills submitted to the Senate over the last several months, including the Medical Device Cybersecurity Act of 2017, introduced by Sen. Richard Blumenthal (D-Conn.) in July. That bill includes heavier regulatory language like mandated testing for manufacturers.  

Meanwhile, some manufacturers have advocated for an industry-led approach that would provide basic protections without strangling innovation.