New US legislation that would establish a working group led by the Food and Drug Administration to improve cybersecurity measures in medical technology has been introduced in the House of Representatives.
The Internet of Medical Things Resilience Partnership Act would task the FDA and other government, academic and industry organizations with developing recommendations and guidelines for boosting cybersecurity and resilience of networked medical devices within 18 months of passage of the Act by the full Congress. The bill appears to take into account recommendations recently published by the Health Care Industry Cybersecurity (HCIC) Task Force, a group formed by Congress to identify major US healthcare system vulnerabilities and how to mitigate cyber threats.
The proposed legislation would tap the FDA as the lead organization of the working group, in close consultation with the National Institute of Standards and Technology (NIST). Other group members representing the federal government would include the FDA Center for Devices and Radiological Health (CDRH), the Office of the National Coordinator for Health Information Technology, the Federal Trade Commission’s Office of Technology Research, and the Federal Communications Commission’s Cybersecurity and Communications Reliability Division.
In addition, the FDA Commissioner would be responsible for appointing private-sector representatives to the working group from sectors including medical device manufacturers, healthcare providers, insurers, health information technology providers, and developers involved in mobile medical applications, cloud computing and wireless networks.
According to the bill, recommendations the working group’s final report should cover include:
How does this new bill align with HCIC Task Force recommendations published earlier in 2017?
Established by the Cybersecurity Act of 2015, the HCIC Task Force identified several critical areas that need to be addressed in order to reduce the US healthcare system’s high vulnerability to cyber threats:
The Internet of Medical Things Resilience Partnership Act’s proposals to form a working group made up of regulators as well as industry representatives does seem in line with the HCIC Task Force’s push for stronger public-private collaboration. However, the HCIC Task Force’s report includes highly detailed recommendations and action items for improving cybersecurity practices; assuming it wins passage, will the Act’s working group deliver recommendations that build upon those already issued by the Task Force, or will they merely repeat them?
Anura Fernando, Prinicipal Engineer for Medical Systems Interoperability and Security at UL and a member of the HCIC Task Force, says that the faster legislation such as The Internet of Medical Things Resilience Partnership Act can address ongoing healthcare cybersecurity vulnerabilities, the better.
“Having had the privilege to be a member of the Task Force, I am hopeful that legislation such as this can help to quickly build public-private partnerships that support the industry’s cybersecurity governance needs, provide solutions to address the convergence of medical devices and health IT< and broaden the stakeholder base for information sharing to ultimately improve cybersecurity awareness and preparedness in this sector,” Fernando says.