Republican representatives David Trott (R-MI) and Susan Brooks (R-IN) last week introduced a bill calling for the US Food and Drug Administration (FDA) to lead a new public-private working group on medical device cybersecurity.
The bill, known as the Internet of Medical Things Resilience Partnership Act, calls on FDA to set up a working group with representatives from other federal agencies, industry and academia to "develop recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices."
In recent years FDA has increased its focus on device cybersecurity. Since 2014, the agency has held three public workshops on cybersecurity and has issued final guidance on pre- and postmarket cybersecurity.
"Bad actors are not only looking to access sensitive information, but they are also trying to manipulate device functionality. This can lead to life-threatening cyber-attacks on devices ranging from monitors and infusion pumps, to ventilators and radiological technologies," Rep. Brooks said.
Specifically, the working group would include representatives from FDA, the Department of Health and Human Services (HHS), Federal Trade Commission (FTC), Federal Communications Commission (FCC), National Institute of Standards and Technology (NIST) and the National Cyber Security Alliance. On the industry side, the bill calls for at least three members from each of a number of private sector areas, including medical device manufacturers, healthcare providers, insurers, enterprise security firms, as well as hardware and software developers.
If passed, the bill would require FDA to submit a report to Congress within 18 months identifying current and developing cybersecurity standards, gaps where new or revised standards are needed and a plan to address those gaps.
Device industry group, AdvaMed, has said it supports the bill.
"We believe management of potential cybersecurity threats is a shared responsibility among all stakeholders, including manufacturers, hospitals, health care professionals, patients, regulators and IT developers," said AdvaMed CEO Scott Whitaker.
However, it is unclear how the working group would fit in with FDA's ongoing cybersecurity efforts, including its memorandum of understanding with the National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS). Additionally, the bill does not mention the Department of Homeland Security (DHS) in the list of working group representatives, despite the agency's role in coordinating cybersecurity efforts through its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Statement, Bill Text