The Medical Device Cybersecurity Act introduced by Connecticut Senator Richard Blumenthal last week is intended to improve the security of medical devices by making it harder for the devices to be hacked. If the legislation is passed, medical device manufacturers will be required to do more to improve security for the entire lifespan of their devices.
Currently, many medical device manufacturers bolt on security features at a late stage of the development process; however, to ensure devices are truly secure, cybersecurity protections must be incorporated at a much earlier stage. Cybersecurity should be central to the design of the devices.
Senator Blumenthal explained that medical devices hold a treasure trove of sensitive information making them a prime target for hackers. He pointed out that currently, “medical device security is in critical condition.” Hacks and ransomware attacks will not decrease, so unless cybersecurity is improved, protected health information will be at risk of theft and other attacks on medical devices can be expected.
At present manufacturers are selling devices with poor cybersecurity protections. It is a situation that cannot continue. While regulators have taken steps to get device manufacturers to improve cybersecurity measures, more needs to be done and new legislation is required. Blumenthal said, “My bill will strengthen the entire health care network against the ubiquitous threat of cyberattacks,” and went on to say, “Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”
The Medical Device Cybersecurity Act is certainly a step in the right direction, but there is no mention in the bill what will happen if manufacturers fail to comply. Two possible ‘incentives’ for device manufacturers would be a ban on the sale of devices in the United States if cybersecurity protections are found to be lacking or HIPAA-like financial penalties for non-compliance.
Currently, the bill would require device manufacturers to improve remote access protections to ensure devices can be accessed securely from inside and outside hospitals and only by authorized individuals. Manufacturers would be required to issue patches and updates free of charge for the lifespan of the products without the devices requiring FDA re-certification. Manufacturers would also be required to provide hospitals with secure disposal and recycling instructions.
The bill also calls for the Department of Homeland Security’ Computer Emergency Readiness Team (ICS-CERT) to have responsibility for the cybersecurity of medical devices.
The Medical Device Cybersecurity Act is gathering support from industry leaders. Already, the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) have announced support for the Medical Device Cybersecurity Act.