A bill called the Internet of Medical Things Resilience Partnership Act was introduced on October 5, 2017, by Republican representatives David Trott and Susan Brooks. The bill calls for the US Food and Drug Administration (FDA) to set up a “working group” with representatives from other federal agencies, industry and academia to “develop recommendations for voluntary frameworks and guideline to increase the security and resilience of networked medical devices.”
Since 2014, the FDA has held three public workshops on cybersecurity and has issued final guidance on pre and post market cybersecurity.
“There are millions of medical devices susceptible to cyber-attacks and often times, we are wearing these networked technologies or even have them imbedded in our bodies”, Republican Brooks said.
“Bad actors are not only looking to access sensitive information, but they are also trying to manipulate device functionality. This can lead to life-threatening cyber-attacks on devices ranging from monitors and infusion pumps, to ventilators and radiological technologies”, he added.
Specifically, the “working group” would include representatives from FDA, the Department of Health and Human Services (HHS), Federal Trade Commission (FTC), Federal Communications Commission (FCC), National Institute of Standards and Technology (NIST) and the National Cyber Security Alliance.
On the industry side, the bill calls for at least three members from each of a number of private sector areas, including medical device manufacturers, healthcare providers, insurers, enterprise security firms, as well as hardware and software developers.
If passed, the bill would require FDA to submit a report to Congress within 18 months identifying current and developing cybersecurity standards, gaps where new or revised standards are needed and a plan to address those gaps.
It is yet to ascertained how the working group would fit in with FDA’s ongoing cybersecurity efforts, including its memorandum of understanding (MoU) with the National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS).
Besides, the bill does not mention the Department of Homeland Security (DHS) in the list of working group representatives, despite the agency’s role in coordinating cybersecurity efforts through its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).