House Committee Urges HHS Action on Medical Device RisksBut Some Say the Request Doesn't Go Far Enough
A House committee is urging the Department of Health and Human Services to act soon on a recommendation made by its cybersecurity task force earlier this year: Develop a description of the the cyber risks of all components of medical devices and other healthcare technologies. The move is seen as an important initial step toward ensuring the cybersecurity of the technologies.
But a member of the task force says Congress should be pressing HHS to take action on all of the panel's recommendations, not just one.
"This is a systemic problem; it won't be solved by taking two aspirin - or one action item - and calling the CISO in the morning. It will take a systemic approach - an integrated care team, if you will," says David Finn, executive vice president of innovation at security consultancy CynergisTek.
In a letter to HHS, House Energy and Commerce Committee Chair Greg Walden, R-Oregon, requests that the agency provide the committee no later than Dec. 15 with a plan of action for "creating, deploying and leveraging bills of materials for healthcare technologies."
A bill of materials would "describe the technology's components - for example, equipment, software, open source, materials - as well as any known risks associated with those components," Walden notes.
In addition, Walden requests that HHS by Dec. 22 make its staff available to provide a briefing to the committee on this work.
'Black Boxes' of Risk
Walden writes that while the healthcare sector's susceptibility to cyber threats has many causes, "a significant and frequent source of risk is due to the fact that many of the technologies leveraged by healthcare stakeholders are, in essence, 'black boxes'.''
Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exists within the technologies on which they rely to provide vital medical care, Walden writes. "This lack of visibility directly affects the ability of these stakeholders to assess their levels of risk and adjust their strategies appropriately."
Walden notes that these challenges were recently examined by the HHS cybersecurity task force, which was established under the Cybersecurity Information Sharing Act of 2015. In the task force's final report on improving cybersecurity in the healthcare industry, issued in June, the group recommended a "bill of materials" as a potential solution to this problem.
"Recent events have highlighted the increasing - and potentially serious repercussions - of organizations lacking visibility or awareness about the products and services they leverage on a daily basis," Walden writes. "For example, in the WannaCry and NotPetya outbreaks, both strains of malware relied on a vulnerability within a widely used protocol known as SMBv l. During these outbreaks, a critical part of stakeholders' response efforts was to identify which technologies within their networks leveraged SMBvl, and then to take appropriate steps to 'quarantine' and otherwise protect these technologies from infection," the letter notes.
"However, because information detailing which pieces of technology contain which protocols is often severely lacking or altogether unavailable, stakeholders were forced to take less targeted, and thus less effective, remediation steps, or to contact the manufacturers individually to try and obtain the missing information," Walden writes. For healthcare organizations that use thousands of technologies, this slow, manual process hampers their ability to respond to cybersecurity emergencies and their ability to protect patients, he adds.
Good Start, But ...
Cris Ewell, CISO at the University of Washington Medicine, says a bill of materials from medical devices makers and other health technology providers would be a good start, but more information is needed.
"Whether it is a BOM or another mechanism, it would be great to have this information prior to the device being put into service," Ewell says. "Part of the problem is that there are multiple ways for a device to enter the hospital or research facility, so the vendor information would not solve the entire issue."
A healthcare entity must also have a process to integrate the medical devices as part of an overall strategy that addresses the limitations and risks associated with the medical device operating system and inherent vulnerabilities, he says. "As you know, there are many medical devices that have outdated software, which must be supported to care for patients. In addition to the information listed, we also would like to understand the network protocols and ports as well as accounts required for normal and administrator access."
Finn, who served on the cybersecurity task force, says he's pleased that Congress is finally taking notice of the issue spelled out in the report. But he's disappointed that legislators are taking a narrow and slow approach in addressing the task force's 88-page report filled with dozens of recommendations.
"It is encouraging that Congressman Walden pointed to the task force report, but my concern is that here we are with six imperatives, 27 recommendations, 104 action items - and almost six months down the road from the release of the report - and Congress is now calling for one step in the entire report," he says.
"Even in the report, it was pointed out that the task force was focused on development of recommendations that will collectively help increase security across the industry. In other words, while all the steps will have to be implemented individually, the ability to enhance security in the sector is contingent on implementing more of the items, not handpicking specific items."
Finn says the bill of materials "is most useful during the procurement process, but if you implement that item without the following [action item] ... which addresses information sharing programs around medical devices after they are deployed, you haven't gained much."
Other recommendations in the report, Finn says, are also critical to improving the cybersecurity or medical devices. Those include: addressing secure lifecycle development, authentication to systems and devices, and architectural design issues around medical devices, as well as establishing a Medical Computer Emergency Readiness Team, or MedCERT, to coordinate a medical device-specific response to cyber incidents and vulnerabilities.
"It is time for Congress to address the report holistically and stop calling out specific items that while helpful are only part of a much bigger system of systems," he says.
HHS did not immediately respond to an Information Security Media Group request for comment on committee's request.