Medical IoT legislation could boost device security... if it can get through Congress
Medical devices are notorious entry points for cybercriminals into hospital networks because the security of these aging devices historically has been overlooked from the start by manufacturers. But there is a piece of legislation that would help ease the problem if it makes it through Congress and is signed into law.
That’s the Internet of Medical Things Resilience Partnership Act. Introduced by Representatives Dave Trott, D-Michigan, and Susan Brooks, R-Indiana, last month, the legislation would require the Food and Drug Administration to establish a working group of cybersecurity experts to recommend voluntary frameworks and guidelines for medical device security.
Hospital IT and security shops have the opportunity to understand the act and -- if it suits your particular organization -- potentially call elected officials and urge them to do something about it. Or suggest ways to improve it based on what you need.
Why? And what effects could this act have on healthcare cybersecurity? How could frameworks and guidelines help hospital and health system CIOs and CISOs better secure medical devices?
Cybersecurity experts said the Internet of Medical Things Resilience Partnership Act could be a good first step toward heightened cybersecurity.
“The technology is expanding rapidly, and we have already seen instances where cybersecurity weaknesses have led the FDA to issue warnings,” said Alan Brill, senior managing director, cybersecurity and investigations practice, at Kroll, an investigations and risk mitigation firm. “The potential downsides are too important to leave to individual company planning.”
The industry needs this working group to develop guidelines that provide protection but in a way that is cost-effective for developers and manufacturers and provides appropriate protection for patients, he added.
“There is no such thing as 100 percent security, but we need to identify what you might call the commercially reasonable solutions,” Brill said. “Just as a drug can be accepted as very effective even though some people might have negative reactions, so too Internet of Things medical devices have to get to that level.”
There are significant cyber-threats against the medical IoT today. And there are elements of a framework or guideline that could help healthcare provider organizations combat these threats. But who should create the frameworks and guidelines? Cybersecurity experts have their suggestions.
“I’d like to have a mix of industry, academics and independent experts,” Brill said. “I don’t think the effort would be credible with only manufacturer experts. Obviously, I’d include the FDA and NIST. The independent experts should be from organizations that are technology-agnostic and do not sell hardware or software, but who bring long experience in information security.”
To be most effective, efforts to promote medical device cybersecurity need significant contributions from a variety of stakeholders, including device manufacturers, providers and researchers, among others, said Marcus Christian, partner, cybersecurity and data privacy practices, at law firm Mayer Brown. Prior to joining Mayer Brown, Marcus was a prosecutor at the U.S. Attorney’s Office for the Southern District of Florida, where he prosecuted both healthcare and cybercrime cases.
“Healthcare provider organizations will want to make sure to help shape the frameworks,” he added. “Healthcare providers will be on the front lines in dealing with consequences of medical device cybersecurity challenges. They need to be at the table in deciding how to address challenges.”
Guidelines for medical IoT cybersecurity need to make sense for patients, clinicians and manufacturers and help define what is commercially and clinically reasonable. If there are any lessons to be learned from recent breaches of healthcare information, it’s that no matter how hard one tries, security problems will pop up.
“It could be a small programming error, it could be a problem with the tools used for development that was just discovered by a hacker, a so-called zero-day flaw,” Brill said. “So the guidelines have to assume that problems may arise and cover not only what constitutes building a device with reasonable security, but also what can be securely updated so that problems can be solved with appropriate security patches.”