Medical Device Cybersecurity Act Takes Aim at Medical Device Security

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks.

The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).

Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase.

While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the products. Many medical devices have been found to contain a slew of vulnerabilities that could be exploited by cybercriminals.

Yesterday, The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning about vulnerabilities in Siemens CT and PET scanner systems. The four vulnerabilities could all be exploited remotely and ICS-CERT said attacks would require a low skill level.

In March last year, the Department of Homeland Security issued an alert about the Pyxis Supply Station from CareFusion. The drug cabinet system was found to have 1,418 vulnerabilities.

Last year flaws were discovered in St. Jude Medical devices that if exploited, would cause the devices to malfunction.

Medical devices are coming to market that have not been adequately tested for security flaws. The problem is widespread. Earlier this year, researchers from security firm WhiteScope conducted an analysis of implantable cardiac devices and programmers. The researchers discovered more than 8,000 security flaws in multiple devices.

A new form of MedJack malware was discovered earlier this year. The malware was developed specifically to attack medical devices such as heart monitors and MRI machines. An earlier version of the malware was used to attack medical devices at three hospitals in 2016.

As Blumenthal correctly points out, “The security of medical devices is in critical condition.” The new bill seeks to address the problem and improve the security of medical devices and increase transparency. If passed, the Medical Device Cybersecurity Act would make healthcare organizations aware of the cyber capabilities of devices and the extent to which those devices have been tested.

Blumenthal points out in a recent blog post, “My bill will strengthen the entire healthcare network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”

The Medical Device Cybersecurity Act of 2017 would amend the Federal Food, Drug and Cosmetic Act. Some of the key changes detailed in the Medical Device Cybersecurity Act of 2017 are:

Require all medical devices to be thoroughly tested for vulnerabilities before sale. A cyber report card would be created for devices that would detail the tests that have been performed.

Remote access protections would need to be incorporated into devices to prevent unauthorized access from inside and outside of hospitals.

The bill would require crucial cybersecurity fixes and updates to remain free and not require FDA recertification.

Manufacturers would be required to issue guidance for end-of-life of the devices, detailing how the devices should be disposed of to avoid the exposure of sensitive data. Blumenthal also proposes that ICS-CERT’s responsibilities are expanded to include medical devices.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.