Cybersecurity Task Force Recommendations for Medical Device Security forces HHS into Action

by | Nov 29, 2017

The House Committee on Energy and Commerce has pleaded with the HHS to move forward on all recommendations for medical device security proposed by the Healthcare Cybersecurity Task Force, seeking quick action to be taken to address existing dangers.

The Cybersecurity Act of 2015 obligated Congress to put together the Healthcare Cybersecurity Task Force to help identify and tackle the unique challenges faced by the healthcare sector when safeguarding data and protecting from cyberattacks.

While healthcare groups are increasing their investment in technologies to avoid cyberattacks, medical devices remain a significant weak point and could easily be targeted by cybercriminals to gain access to healthcare networks and private information.

Earlier in 2017, the Healthcare Cybersecurity Task Force issued a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet implemented all of the recommendations. The House Committee on Energy and Commerce has now pleaded with the HHS to implement all the Cybersecurity Task Force’s recommendations.

Recently, Greg Walden (D-Or), Chair of the House Committee on Energy and Commerce, sent a message to the HHS, outlining one of the main issues with new technologies is a lack of comprehension regarding their hardware, software, and components.

In the correspondence, Walden stated, “Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care.”

As Walden went on to say, the NotPetya and WannaCry ransomware attacks showed that to be the case. Those attacks leveraged a flaw in Windows Server Message Block (SMBv1), and following the attacks, healthcare groups were scrambling to discover which technologies within their networks leveraged SMBv1 to allow them to minmize risk. That job was made all the more difficult, as information on technologies that targeted SMBv1 was lacking or was simply unavailable.

Those ransomware/wiper cyberattacks are just two recent examples. It was the same scenario for the SamSam ransomware attacks that targeted a flaw in JBoss, while in 2015, weaknesses in the Telnet protocol were identified. Telnet was used in a large number of medical devices, although the devices that used Telnet was not abundantly obvious.

“The existence of insecure or outdated protocols and operating systems within medical technologies is a reality of modern medicine. At the same time, however, this leaves healthcare organizations vulnerable to increasingly sophisticated and rapidly evolving cyber threats,” commented Walden.

Walden stated that the Cybersecurity Task Force has asked for a Bill of Materials as a possible solution to the problem. The Bill of Materials would be applicable to all medical technologies, which list all the components, software, hardware and protocols used, and any known danger associated with those components. Such a Bill of Materials would make it much simpler for healthcare groups to make security decisions, and mitigate risk when new weaknesses are discoverd.

Having a Bill of Materials for all technologies would not completely safeguard the healthcare sector, but Walden explains it is a “common sense step” to improving cybersecurity in the entire industry.

The HHS has been asked to initiate a sector-wide effort to formulate a plan for the creation and deployment of BOMs. Walden pleaded for a plan to be provided by the HHS before December 15, 2017.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy