House asks HHS for plan on including bill of materials for medical devices
The House Committee on Energy and Commerce is asking the Department of Health and Human Services to follow through with a key recommendation outlined in the HHS Cybersecurity Task Force report from June: Include bill of materials for every medical device to alert organizations to device flaws.
The letter to HHS Acting Secretary Eric Hargan from Rep. Greg Walden, R-Oregon, asks the agency to develop its plan to create, deploy and leverage BOMs for healthcare devices, by collaborating with all interested stakeholders to achieve “the strongest and most effective solution.”
The task force’s report highlighted the healthcare sector’s struggle to find and fix flaws in these devices. Walden explained that “an organization can’t protect what it doesn’t know it has.”
As laid out in the report, the BOM included with all devices would describe its components, along with any known risks associated with those elements. The group believes BOMs will give transparency to organizations trying to manage vulnerabilities within its network and are key to assessing threats.
“Post-outbreak analyses of WannaCry and NotPetya and Committee staff work on healthcare issues demonstrate the risks presented by the continued prevalence of insecure and legacy components in healthcare technologies,” Walden wrote.
“This situation is untenable…” he continued. “While the implementation and use of BOMs will not completely protect the healthcare sector from cyber threats, it is an important, commonsense step towards improving cybersecurity of the sector overall.”
Walden asked HHS to present its plan to the committee no later than Dec. 15. Further, he asked the agency to make its staff available to give the committee a briefing on the work being done in this area.