Cybersecurity Task Force Recommendations for Medical Device Security forces HHS into Action

The House Committee on Energy and Commerce has pleaded with the HHS to move forward on all recommendations for medical device security proposed by the Healthcare Cybersecurity Task Force, seeking quick action to be taken to address existing dangers.

The Cybersecurity Act of 2015 obligated Congress to put together the Healthcare Cybersecurity Task Force to help identify and tackle the unique challenges faced by the healthcare sector when safeguarding data and protecting from cyberattacks.

While healthcare groups are increasing their investment in technologies to avoid cyberattacks, medical devices remain a significant weak point and could easily be targeted by cybercriminals to gain access to healthcare networks and private information.

Earlier in 2017, the Healthcare Cybersecurity Task Force issued a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet implemented all of the recommendations. The House Committee on Energy and Commerce has now pleaded with the HHS to implement all the Cybersecurity Task Force’s recommendations.

Recently, Greg Walden (D-Or), Chair of the House Committee on Energy and Commerce, sent a message to the HHS, outlining one of the main issues with new technologies is a lack of comprehension regarding their hardware, software, and components.

In the correspondence, Walden stated, “Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care.”

As Walden went on to say, the NotPetya and WannaCry ransomware attacks showed that to be the case. Those attacks leveraged a flaw in Windows Server Message Block (SMBv1), and following the attacks, healthcare groups were scrambling to discover which technologies within their networks leveraged SMBv1 to allow them to minmize risk. That job was made all the more difficult, as information on technologies that targeted SMBv1 was lacking or was simply unavailable.

Those ransomware/wiper cyberattacks are just two recent examples. It was the same scenario for the SamSam ransomware attacks that targeted a flaw in JBoss, while in 2015, weaknesses in the Telnet protocol were identified. Telnet was used in a large number of medical devices, although the devices that used Telnet was not abundantly obvious.

“The existence of insecure or outdated protocols and operating systems within medical technologies is a reality of modern medicine. At the same time, however, this leaves healthcare organizations vulnerable to increasingly sophisticated and rapidly evolving cyber threats,” commented Walden.

Walden stated that the Cybersecurity Task Force has asked for a Bill of Materials as a possible solution to the problem. The Bill of Materials would be applicable to all medical technologies, which list all the components, software, hardware and protocols used, and any known danger associated with those components. Such a Bill of Materials would make it much simpler for healthcare groups to make security decisions, and mitigate risk when new weaknesses are discoverd.

Having a Bill of Materials for all technologies would not completely safeguard the healthcare sector, but Walden explains it is a “common sense step” to improving cybersecurity in the entire industry.

The HHS has been asked to initiate a sector-wide effort to formulate a plan for the creation and deployment of BOMs. Walden pleaded for a plan to be provided by the HHS before December 15, 2017.