The FDA, medical devices, and cybersecurity are popular subject matter for proposed Federal legislation, even though most bills in this arena never clear committee. One wonders sometimes if those introducing such bills really care about them being enacted, or are they just an exercise in publicity and perhaps self-aggrandizement.
On October 5, 2017 H.R. 3985: Internet of Medical Things Resilience Partnership Act of 2017 was introduced by Dave Trott of Michigan and Susan Brooks of Indiana. In addition to possible self-aggrandizement, in the present case the bill also celebrates National Cybersecurity Month. If you haven't celebrated this yet, you better hurry. To my eye, and ear, the self-aggrandizement component is illustrated in part by the tense used in their announcement. For example it is stated in the press release that the bill "creates" the partnership, but a bill creates nothing. Wouldn't it be more accurate to say "seeks to create"? The announcement also switches back and forth between data security and the theoretical potential for malicious medical device hacking, a risk for which I am not aware of any public reports of actual occurrence. This of course does not mean that there is not extensive effort addressing such risks on a variety of fronts including the FDA's recent Guidance on "Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices" which is part of its overall cybersecurity effort. While medical data breaches certainly are real, the Equifax loss of our personal information may have now made medical breaches moot.
The four page Partnership bill calls for the establishment of working group of public and private entities, led by the Food and Drug Administration, to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices, and for other purposes. The cumbersome "Internet of Medical Things devices" will hopefully soon be forgotten. This working group would be convened 5 months after passage of the act with the charge to develop recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the United States that store, receive, access, or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm. The mandated membership of this group will be from FDA, ONC, Office of Technology Research of the FTC, Cybersecurity and Communications Reliability Division of the FCC, NIST and the National Cyber Security Alliance. The latter is itself a self-described conglomerate of public and private entities, although its board of directors are all corporate folks (and 90% male by the way). In addition there would be three members selected from medical device manufacturers, health care providers, health insurance providers, cloud computing, wireless network providers, enterprise security solutions systems, health information technology, Web-based mobile application developers, software developers, and hardware developers. Perhaps early in the agenda it can be decided if the proper term is cyber security or cybersecurity.
Eighteen months after enactment (one year after formation) this group is to provide a report including:
- Identification of existing cybersecurity standards, guidelines, frameworks, and best practices
- Identification of existing and developing international and domestic cybersecurity standards, guidelines, frameworks, and best practices that mitigate vulnerabilities
- Specification of high-priority gaps for which new or revised standards are needed
- Potential action plans by which such gaps can be addressed
One might note that this activity appears to overlap if not duplicate a variety of activities already underway. The use of legislation to direct agencies to do what they are already doing doesn't seem to me to offer much value, although there are times when agencies don't seem to be doing what they are supposed to do. However agencies are also not necessarily responsive to legislative directions, especially when they have relatively short time lines. On the other hand Gov.track, a useful legislative guide (with which I have no affiliation) gives this measure, quoting Skopos Labs, gives this legislation a 2% chance of passage.
While engaged in a review of pending legislation you might want to also look at S. 1656: Medical Device Cybersecurity Act of 2017, or H.R. 1591: WiFi Capable Mobile Devices Act of 2017 among others.