Lawmaker to HHS: Label software in medical devices
The Trump administration should convene a national effort in partnership with the private sector to ensure that the owners and operators of medical devices, hospital IT networks and electronic health records systems can find out what software and other components are in the products they buy, says the chairman of the powerful House Energy and Commerce Committee.
In a letter Thursday to acting Health and Human Services Secretary Eric Hargen, committee Chairman Greg Walden, R-Ore., notes a congressionally chartered task force on health care cybersecurity earlier this year recommended such transparency requirements. The congressional report said there should be a “Bill of Materials” (BOM) for medical products because hospital IT managers and network administrators “must first understand what they have on their systems, before they can determine whether these technologies are impacted by a given threat or vulnerability.”
“We write today to request that [HHS] convene a sector-wide effort to develop a plan of action for creating, deploying and leveraging BOMs for health care technologies,” reads Walden’s letter.
The sector is vulnerable because of the “‘black box’ nature of most modern medical technology,” Walden writes.
The lawmaker gave the example of the vulnerability in a Windows computer protocol called SMBv1, which was exploited by the NotPetya and WannaCry malware.
“During these outbreaks, a critical part of stakeholders’ response efforts was to identify which technologies in their networks” used SMBv1 and find a way to isolate them, or otherwise protect them from the outbreak.
It’s much tougher for network managers to do that work if they don’t know what software is inside the devices and other products that they oversee.
One of the congressional task force’s leading members, Josh Corman, told CyberScoop that the visibility issue is especially important in the health care sector because of the long product life-cycles for medical devices, compared to typical IT products.
“It can easily take a manufacturer six years from inception to testing and [FDA] approval, before they get to market,” said Corman, the founder of I am the Cavalry, a volunteer cybersecurity group that focusses on, “where bits and bytes meet flesh and blood,” as Corman puts it. By that time most of the software it contains will already be outdated, he pointed out. Moreover, because the device was approved for sale fitted with the old software, it cannot legally be updated.
