EMERGO SUMMARY OF KEY POINTS:

• New legislation introduced in the US House of Representatives would launch a working group headed by the FDA to develop strategies for mitigating cybersecurity risks in medical technology.
• The proposed legislation builds on recommendations issued by the Health Care Industry Cybersecurity Task Force earlier in 2017.
• If passed by the full Congress, the legislation would require the FDA-led working group to report on its efforts within 18 months.

New US legislation that would establish a working group led by the Food and Drug Administration to improve cybersecurity measures in medical technology has been introduced in the House of Representatives.

The Internet of Medical Things Resilience Partnership Act would task the FDA and other government, academic and industry organizations with developing recommendations and guidelines for boosting cybersecurity and resilience of networked medical devices within 18 months of passage of the Act by the full Congress. The bill appears to take into account recommendations recently published by the Health Care Industry Cybersecurity (HCIC) Task Force, a group formed by Congress to identify major US healthcare system vulnerabilities and how to mitigate cyber threats.

Proposed working group members

The proposed legislation would tap the FDA as the lead organization of the working group, in close consultation with the National Institute of Standards and Technology (NIST). Other group members representing the federal government would include the FDA Center for Devices and Radiological Health (CDRH), the Office of the National Coordinator for Health Information Technology, the Federal Trade Commission’s Office of Technology Research, and the Federal Communications Commission’s Cybersecurity and Communications Reliability Division.

In addition, the FDA Commissioner would be responsible for appointing private-sector representatives to the working group from sectors including medical device manufacturers, healthcare providers, insurers, health information technology providers, and developers involved in mobile medical applications, cloud computing and wireless networks.

What the working group’s report should include

According to the bill, recommendations the working group’s final report should cover include:

• Identifying which cybersecurity standards, frameworks and best practices currently available are suitable to address medical device and technology vulnerabilities
• Which US and international cybersecurity standards and practices either currently in use or under development that can mitigate vulnerabilities
• Identifying high-priority gaps that require new or updated cybersecurity standards
• Action plans to properly reduce those high-priority gaps

Health Care Industry Cybersecurity Task Force recommendations             

How does this new bill align with HCIC Task Force recommendations published earlier in 2017?  

Established by the Cybersecurity Act of 2015, the HCIC Task Force identified several critical areas that need to be addressed in order to reduce the US healthcare system’s high vulnerability to cyber threats:

• Defining leadership, governance and expectations for medical device and healthcare industries in terms of managing cybersecurity efforts
• Increasing security and resilience of medical devices as well as healthcare technologies and networks
• Building up healthcare workforce capacity to improve cybersecurity awareness and technical know-how
• Increasing cybersecurity awareness and education among healthcare industry participants
• Finding ways to improve protection for research and development as well as intellectual property against cyber-attack or exposure
• Boosting information sharing regarding healthcare industry threats, vulnerabilities and mitigation steps

The Internet of Medical Things Resilience Partnership Act’s proposals to form a working group made up of regulators as well as industry representatives does seem in line with the HCIC Task Force’s push for stronger public-private collaboration. However, the HCIC Task Force’s report includes highly detailed recommendations and action items for improving cybersecurity practices; assuming it wins passage, will the Act’s working group deliver recommendations that build upon those already issued by the Task Force, or will they merely repeat them?

Anura Fernando, Prinicipal Engineer for Medical Systems Interoperability and Security at UL and a member of the HCIC Task Force, says that the faster legislation such as The Internet of Medical Things Resilience Partnership Act can address ongoing healthcare cybersecurity vulnerabilities, the better.

“Having had the privilege to be a member of the Task Force, I am hopeful that legislation such as this can help to quickly build public-private partnerships that support the industry’s cybersecurity governance needs, provide solutions to address the convergence of medical devices and health IT< and broaden the stakeholder base for information sharing to ultimately improve cybersecurity awareness and preparedness in this sector,” Fernando says.

Related US regulatory and cybersecurity resources from Emergo:

• Medical device cybersecurity compliance consulting and support
• Wireless compliance consulting for medical device companies
• US FDA consulting for medical device and IVD companies
• Webinar: Mapping cybersecurity standards to FDA medical device guidance
• Whitepaper: US FDA cybersecurity requirements for medical devices