Medical Device Cybersecurity Act of 2017: benefits and burdens
August 30, 2017
An editorial by Robert Kerwin
General Counsel, IAMERS
Shortly before the summer congressional recess, Senator Blumenthal (D.-CT) filed a bill to amend the Federal Food, Drug, and Cosmetic Act to provide cybersecurity protections for medical devices. S. 1656, if approved, will require manufacturers to provide a report card for indicating the cybersecurity functions of cyber devices.
The contents of the report card would contain: (a) a disclosure statement by the manufacturer of medical device security; (b) a traceability matrix that establishes design components and traces compensating cybersecurity controls; (c) provides providers with industry standard compensating controls for improving cybersecurity;(d) includes a cybersecurity risk assessment conducted by the manufacturer or a third party explaining the risk of the device to patient safety and clinical hazards; (e) indicates whether the device is capable of being remotely accessed. If the device can be remotely accessed the bill would require that the report card disclose an indication of any security measures and access protocols the device has in place to secure such access.
The Manufacturer's report card would be disclosed on a confidential basis to any health care industry entity that the FDA determines to have a valid interest. The manufacturer would be required to submit an annual update to the FDA and to any other third-party authorized by the manufacturer. The manufacturer would be required to obtain consent from the health care provider and patient prior to access. (The health care provider will be charged to obtain consent from the patient). The manufacturer will be required to notify the provider when accessing the device remotely, will maintain an audit log for each time the manufacturer accesses the device remotely, and make the access log accessible to the provider.
Automated tools would be installed to track access or identify attempts at unauthorized access to any cyber capability of the device. The manufacturer would be required to provide free cybersecurity fixes or updates until the end-of-life of the equipment or 10 years after the date on which the manufacturer discontinues marketing the device.
While requiring a medical device cyber report card and compensating controls to be disclosed is laudable, the virtual absence of third-party access to the cyber report and the need to have the manufacturer approve access has huge implications for competition and for strategic advantage to the manufacturer.
Additionally, the audit provisions give the manufacturer an ability to pitch for business on installations and service. The bill needs to be modified to permit access by third-parties authorized by the health care provider, and remove discretion from the manufacturer to determine unilaterally the end-of-life of the equipment.
General Counsel, IAMERS
Shortly before the summer congressional recess, Senator Blumenthal (D.-CT) filed a bill to amend the Federal Food, Drug, and Cosmetic Act to provide cybersecurity protections for medical devices. S. 1656, if approved, will require manufacturers to provide a report card for indicating the cybersecurity functions of cyber devices.
The contents of the report card would contain: (a) a disclosure statement by the manufacturer of medical device security; (b) a traceability matrix that establishes design components and traces compensating cybersecurity controls; (c) provides providers with industry standard compensating controls for improving cybersecurity;(d) includes a cybersecurity risk assessment conducted by the manufacturer or a third party explaining the risk of the device to patient safety and clinical hazards; (e) indicates whether the device is capable of being remotely accessed. If the device can be remotely accessed the bill would require that the report card disclose an indication of any security measures and access protocols the device has in place to secure such access.
The Manufacturer's report card would be disclosed on a confidential basis to any health care industry entity that the FDA determines to have a valid interest. The manufacturer would be required to submit an annual update to the FDA and to any other third-party authorized by the manufacturer. The manufacturer would be required to obtain consent from the health care provider and patient prior to access. (The health care provider will be charged to obtain consent from the patient). The manufacturer will be required to notify the provider when accessing the device remotely, will maintain an audit log for each time the manufacturer accesses the device remotely, and make the access log accessible to the provider.
Automated tools would be installed to track access or identify attempts at unauthorized access to any cyber capability of the device. The manufacturer would be required to provide free cybersecurity fixes or updates until the end-of-life of the equipment or 10 years after the date on which the manufacturer discontinues marketing the device.
While requiring a medical device cyber report card and compensating controls to be disclosed is laudable, the virtual absence of third-party access to the cyber report and the need to have the manufacturer approve access has huge implications for competition and for strategic advantage to the manufacturer.
Additionally, the audit provisions give the manufacturer an ability to pitch for business on installations and service. The bill needs to be modified to permit access by third-parties authorized by the health care provider, and remove discretion from the manufacturer to determine unilaterally the end-of-life of the equipment.