The House Energy and Commerce Committee has asked the Department of Health and Human Services to begin drawing up plans to provide more transparency about the cybersecurity risks within medical devices.
In a letter to HHS Acting Secretary Eric Hargan, Rep. Greg Walden, R-Ore., requested the agency adopt a key recommendation outlined in a report by the HHS Cybersecurity Task Force released earlier this year: Include a bill of materials (BOM) for all medical devices so organizations can better understand device vulnerabilities.
Referring to healthcare medical technology as a “black box,” Walden acknowledged that providing more information about the software and hardware within medical devices “is not a panacea or a silver bullet for complex cyber threats,” but a basic step that can help organizations protect against known vulnerabilities.
“After all, an organization cannot protect what it does not know it has,” Walden wrote (PDF).
Walden requested that Hargan submit a plan of action for “creating, deploying and leveraging BOMs for healthcare technologies” no later than Dec. 15.
Joshua Corman, founder of I Am The Cavalry and chief security officer at PTC who served on the HHS Cybersecurity Task Force, was pleased to see Walden’s letter make specific reference to BOMs, but he said the inclusion of a “nutrition label and ingredients list in medical devices is inevitable.” Some in the medical device industry have already begun including BOMs voluntarily, and Corman says he expects FDA will eventually incorporate BOMs into its premarket guidance for medical devices or lawmakers will include it as an add-on to existing medical device cybersecurity legislation.
The benefits of medical device BOMs would have several ripple effects, giving healthcare providers a better understanding of their vulnerabilities during an attack while also allowing them to take proactive measures when purchasing new equipment. Furthermore, greater transparency will naturally lead to more defensible products and, perhaps most importantly, provide organizations with necessary product information when the manufacturer is acquired or goes out of business.
“Any endeavor that has the ability to impact public safety and human life requires the highest forms of transparency and risk management,” Corman told FierceHealthcare.
Critics argue that BOMs provide attackers with a blueprint of known vulnerabilities. But Corman argues attackers are already aware of those weaknesses, and providing healthcare organizations with BOMs would be one way to try and even the playing field.
“The truth is, the benefits of BOMs far outweigh any well-meaning but misinformed risks,” he says.