Posted in Policy

Proposed bill seeks to establish frameworks, guidelines for medical device security

Chris Nerney
Chris Nerney, Contributing Writer |
Proposed bill seeks to establish frameworks, guidelines for medical device security

A recent Unisys survey on connected medical devices shows that most consumers are concerned about hackers and other unauthorized people gaining access to internet-connected medical devices belonging to them or someone they know.

Their concerns are understandable. More data than ever is being created, collected, stored, and transmitted from clinical medical devices, consumer wearables, and the Internet of Things (IoT), making them high-value targets for hackers and other bad actors. Further, older connected medical devices lack the security features necessary for the digital age, while many manufacturers of new IoT devices simply overlook security.

Now a new piece of legislation has been introduced in Congress to address the IoT medical device security problem. The Internet of Medical Things Resilience Partnership Act, unveiled in October by Reps. Dave Trott, D-Michigan, and Susan Brooks, R-Indiana, would mandate the Food and Drug Administration (FDA) to create a working group of cybersecurity experts to craft recommended voluntary frameworks and guidelines for securing medical devices. 

As Healthcare IT News Managing Editor Bill Siwicki writes, cybersecurity pros are hopeful the proposed bill will help tighten medical device security.

“There is no such thing as 100 percent security, but we need to identify what you might call the commercially reasonable solutions,” Alan Brill, senior managing director of cybersecurity and investigations practice at investigations and risk mitigation firm Kroll, told Siwicki. “Just as a drug can be accepted as very effective even though some people might have negative reactions, so too Internet of Things medical devices have to get to that level.”

Brill said the working group proposed under the bill ideally would “have a mix of industry, academics and independent experts.”

“I don’t think the effort would be credible with only manufacturer experts,” he said. “Obviously, I’d include the FDA and NIST. The independent experts should be from organizations that are technology-agnostic and do not sell hardware or software, but who bring long experience in information security.”

Marcus Christian, partner, cybersecurity and data privacy practices, at law firm Mayer Brown, agreed that healthcare providers “need to be at the table in deciding how to address challenges.”