HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security

The House Committee on Energy and Commerce has urged the HHS to act on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force, calling for prompt action to be taken to address risks.

The Cybersecurity Act of 2015 required Congress to form the Healthcare Cybersecurity Task Force to help identify and address the unique challenges faced by the healthcare industry when securing data and protecting against cyberattacks.

While healthcare organizations are increasing their spending on technologies to prevent cyberattacks, medical devices remain a major weak point and could easily be exploited by cybercriminals to gain access to healthcare networks and data.

Earlier this year, the Healthcare Cybersecurity Task Force made a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet acted on all of the recommendations. The House Committee on Energy and Commerce has now urged the HHS to take action on all the Cybersecurity Task Force’s recommendations.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Last week, Greg Walden (D-Or), Chair of the House Committee on Energy and Commerce, wrote to the HHS, explaining one of the main problems with new technologies is a lack of understanding of their hardware, software, and components.

In the letter, Walden explained, “Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care.”

As Walden explained, the NotPetya and WannaCry ransomware attacks proved that to be the case. Those attacks leveraged a vulnerability in Windows Server Message Block (SMBv1), and following the attacks, healthcare organizations were scrambling to determine which technologies within their networks leveraged SMBv1 to allow them to mitigate risk. That task was made all the more difficult, as information on technologies that leveraged SMBv1 was lacking or was simply unavailable.

Those ransomware/wiper attacks are just two examples. It was the same situation for the SamSam ransomware attacks that leveraged a vulnerability in JBoss, while in 2015, vulnerabilities in the Telnet protocol were discovered. Telnet was used in many medical devices, although the devices that used Telnet was not abundantly clear.

“The existence of insecure or outdated protocols and operating systems within medical technologies is a reality of modern medicine. At the same time, however, this leaves healthcare organizations vulnerable to increasingly sophisticated and rapidly evolving cyber threats,” wrote Walden.

Walden pointed out that the Cybersecurity Task Force has called for a Bill of Materials as a possible solution to the problem. The Bill of Materials would exist for all medical technologies, which detail all the components, software, hardware and protocols used, and any known risks associated with those components. Such a Bill of Materials would make it much easier for healthcare organizations to make security decisions, and mitigate risk when new vulnerabilities are identified.

Having a Bill of Materials for all technologies would not completely protect the healthcare industry, but Walden explains it is a “common sense step” to improving cybersecurity in the industry as a whole.

The HHS has been urged to convene a sector-wide effort to develop a plan for the creation and deployment of BOMs. Walden called for a plan of action be provided by the HHS no later than December 15, 2017.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.