Congress Addresses Medical Device Vulnerabilities

The Medical Device Cybersecurity Act of 2017 was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT).  The new bill is intended to improve the security of medical devices and increase transparency. If passed, it would make healthcare organizations aware of the cyber capabilities of devices and the extent to which those devices have been tested.  Is this another law adding burden to a strained healthcare industry or a vital piece of legislation designed to protect the public?  Let’s see if this bill is really needed.

Recent global cyber-attacks established the vulnerability of several medical devices that could result in the theft of electronic Protected Healthcare Information (ePHI) or worse, the potential to cause patient injury or death.  The Wannacry virus infected both Siemens and Bayer medical devices.  You might think that isn’t such a big deal as Wannacry infected a wide range of companies and systems, including a considerable number of hospitals in England that were crippled as their IT systems were rendered useless with the ransomware.

But recent studies show that the medical device manufacturers are not investing in the cybersecurity of new medical devices.  Last year, the Department of Homeland Security issued an alert about the Pyxis Supply Station from CareFusion when the drug cabinet system was found to have over 1,400 vulnerabilities.  This year researchers reviewed implantable cardiac devices and uncovered more than 8,000 security flaws in multiple devices.  It is interesting to note that a new form of MedJack malware, developed specifically to attack medical devices such as heart monitors and MRI machines, was discovered earlier this year.

The explosion of Internet of Things (IoT) devices has manufacturers rushing devices to market to beat the competition and claim market share.  Devices that are not cyber-hardened in the design process and fully tested prior to delivery to the customer (Provider) place the burden of patient protection on the care environment; on the nurses, doctors and their IT support organization who are already overburdened and underfunded. (See our previous post for caregivers Healthy Skepticism - Your Best Cyber Defense)

If we step back and look at the situation, the patients (all of us) are at risk. We are at risk of having our identities stolen and at risk of suffering harm or even death.  In summary, I hope Congress passes this legislation quickly!

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

Ed Jones, PMP, CHSP
About the Author

Over 30 years of customer facing experience managing projects in healthcare, IT, process automation in a variety of tech industries, Ed has worked for start-ups to Fortune 100 companies. He has performed numerous complex and extensive risk assessments, and developed and managed the corresponding risk management strategies.

%d bloggers like this: