New legislation introduced to the Senate looks to add requirements for medical device cybersecurity, including mandated testing and better remote access protections.
In addition to minimum testing requirements, The Medical Device Cybersecurity Act of 2017, introduced by Sen. Richard Blumenthal, D-Conn., would create a “cyber report card” to increase transparency of medical device security.
The bill would also improve remote access protections, provide recommendations for end-of-life devices and expand the responsibilities of the Department of Homeland Security’s Computer Emergency Readiness Team to include medical devices.
A recent poll showed device manufacturers are increasingly concerned about hackers and 40% are worried an attack will target hardware. Meanwhile, industry leaders have pushed for manufacturers to develop industrywide cybersecurity standards.
“Without this legislation, insecure and easily exploitable medical devices will continue to put Americans’ health and confidential personal information at risk,” Blumenthal said in an announcement.
Additionally, the proposed legislation would ensure security updates do not require FDA recertification. But that notion is frequently misconstrued. In most cases, manufacturers are permitted to make cybersecurity updates without FDA approval.
The bill received support from the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS), which highlighted the need for improved medical device security following two global ransomware attacks.
“WannaCry and Petya shined a bright light on the vulnerabilities in the healthcare sector and more specifically with medical devices,” AEHIS Board Chair Deborah Stevens said in a statement.
Meanwhile, a bipartisan group of senators introduced a bill that would require internet of things devices purchased by the U.S. government to meet minimum security requirements. While the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 broadly addresses mobile devices, it would require federal agencies to use devices that are patchable and don’t contain known vulnerabilities.