HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Internet of Medical Things Resilience Partnership Act Bill Introduced

The Internet of Medical Things Resilience Partnership Act has been introduced in the U.S. House of Representatives. The main aim of the bill is to establish a public-private stakeholder partnership, which will be tasked with developing a cybersecurity framework that can be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more resilient to cyberattacks.

The range of medical devices now being used in healthcare is considerable and the number is only likely to grow. As more devices are introduced, the risk to patients increases. These devices are currently used in hospitals, worn by patients, fitted surgically, or used at home. The devices include drug infusion pumps, ventilators, radiological technologies, pacemakers, and monitors.

If appropriate safeguards are not incorporated into the devices, they will be vulnerable to attack. Those attacks could be performed to gain access to the data stored or recorded by the devices, to use the devices to launch attacks on healthcare networks, or to alter the function of the devices to cause patients harm. What is certain is that if nothing is done, the devices will be attacked and healthcare organizations and patients are likely to be harmed.

The Internet of Medical Things Resilience Partnership Act was introduced by Representatives Dave Trott (D-MI) and Susan Brooks (R-IN) last week. Rep Brooks said, “It is essential to provide a framework for companies and consumers to follow so we can ensure that the medical devices countless Americans rely on and systems that keep track of our health data are protected.”

Please see the HIPAA Journal Privacy Policy

“In our nation’s hospitals, technology has helped provide better quality and more efficient health care, but the perpetual evolution of technology – its greatest strength – is also its greatest vulnerability,” explained Rep. Trott.

The bill suggests the working group should be led by the U.S. Food and Drug Administration (FDA), and should include representatives from the National Institute of Standards and Technology (NIST), the HHS’ Office of the National Coordinator for Health Information Technology (ONC), the Cybersecurity and Communications Reliability Division of the Federal Communications Commission (FCC), and the National Cyber Security Alliance (NCSA).

At least three representatives of each of the following groups should also join the working group: health care providers, health insurance providers, medical device manufacturers, cloud computing, wireless network providers, health information technology, web-based mobile application developers, and hardware and software developers.

The group will be tasked with developing a cybersecurity framework for medical devices based on existing cybersecurity frameworks, guidance, and best practices. The working group should also identify high priority gaps for which new or revised standards are needed, and develop an action plan to ensure those gaps are addressed.

The working group will be required to submit its report no later than 18 months from the passing of the  Internet of Medical Things Resilience Partnership Act.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.