HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security

The House Committee on Energy and Commerce is pushing HHS to take the advice of Healthcare Cybersecurity Task Force regarding medical device security to lower cyberattack risks. The Cybersecurity Act of 2015 formed the Healthcare Cybersecurity Task Force to help the healthcare industry in securing and protecting data against cyberattacks.

Healthcare organizations have indeed invested on technologies to fight cyberattacks but medical devices were left behind to be exploited by cybercriminals, using them to access healthcare networks and data. The Healthcare Cybersecurity Task Force offered some recommendations for medical device security early this year. But the Department of Health and Human Services still did not act on the recommendations.

The Chair of the House Committee on Energy and Commerce, Greg Walden (D-Or), wrote HHS and explained that the problem is that stakeholders do not know which new technologies – hardware, software and other components – can be relied on to give vital medical care.

As an example, Walden cited the NotPetya and WannaCry ransomware attacks. The attacks took advantage of a vulnerability in Windows Server Message Block (SMBv1).  Healthcare organizations did not know which technologies in their networks leveraged SMBv1 so they could not mitigate the risk. It was difficult to find out because the information on SMBv1 was simply not available. Another example is the SamSam ransomware attacks that exploited a vulnerability in JBoss. At the same time in 2015, vulnerabilities in the Telnet protocol were discovered. Many medical devices used Telnet but the use of these devices was not clearly understood.

Insecure and outdated operating systems and protocols used in medical technologies present a real problem. Health organizations are left vulnerable to many rapidly evolving cyber threats. Cybersecurity Task Force recommended a Bill of Materials as a possible way to resolve the problem. All medical technologies will have a Bill of Materials, which lists all the component, hard, software, protocols and risks associated with the components. The Bill of Materials will help healthcare organizations respond to security risks when vulnerabilities are discovered. Although this solution will probably not totally protect the healthcare industries, it can improve the industry’s cybersecurity as a whole.

Walden urged HHS to convene and develop a plan for creating and deploying BOMs.  He wanted to have the plan of action no later than December 15, 2017.