Friday, October 20, 2017

HR 3985 Introduced – IoMT Security

Earlier this month Rep. Trott (R,MI) introduced HR 3985, the Internet of Medical Things Resilience Partnership Act of 2017. The bill would establish a working group of public and private entities led by the Food and Drug Administration to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices.

The Working Group

The Working Group would be chaired by the FDA Commissioner. The other members would represent {§2(b)(3)}:

• The Center for Devices and Radiological Health of the Food and Drug Administration;
• The Office of the National Coordinator for Health Information Technology of the Department of Health and Human Services;
• The Office of Technology Research and Investigation of the Federal Trade Commission;
• The Cybersecurity and Communications Reliability Division of the Federal Communications Commission;
• The National Institute of Standards and Technology of the Department of Com1merce; and
• The National Cyber Security Alliance

Additionally, the Chair would appoint three members each from the following private sector groups {§2(b)(4)}:

• Medical device manufacturers;
• Health care providers;
• Health insurance providers;
• Cloud computing;
• Wireless network providers;
• Enterprise security solutions systems;
• Health information technology;
• Web-based mobile application developers;
• Software developers; and
• Hardware developers.

The Group would have 18 months to prepare a report to Congress that provides recommendation that {§2(c)}:

• An identification of existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to mitigate vulnerabilities in the devices described in subsection (a);
• An identification of existing and developing international and domestic cybersecurity standards, guidelines, frameworks, and best practices that mitigate vulnerabilities in such devices;
• A specification of high-priority gaps for which new or revised standards are needed; and
• Potential action plans by which such gaps can be addressed.

Moving Forward

While Trott is not a member of the House Energy and Commerce Committee (the Committee to which this bill was assigned for consideration), his co-sponsor, Rep. Brooks (R,IN) is. This means that it is possible that this bill may be considered in Committee.

I see nothing in the bill that would engender any specific opposition, so the bill would probably draw at least some bipartisan support and could pass in Committee and on the floor. It would all depend on how much leadership support could be generated for the consideration of this bill.


Congress frequently uses these types of study committees to develop workable solutions to complex technical problems. Unfortunately, there is no guarantee that the solutions prepared by such a working group would ever actually be considered by Congress, or converted into a legislative proposal for regulating the cybersecurity of medical devices.

The lack of any real definitions of terms or the extent of the problem provides the Group with a rather wide mandate. This could be a good thing, but it is more likely to dilute the energy of the group into spending too much time in defining the scope of the problem rather than working on proposals to solve the problem.

Finally, I see two major shortcomings; gaps in the proposed membership, and the lack of organizational details.

On the membership issue, it is clear to me that ICS-CERT should have been included in the list of government agencies that should be represented in the Working Group. That and the lack of inclusion of security researchers would seem to indicate that Trott and Brooks (and more likely, their staffs) are deliberately ignoring the problem of the identification of security vulnerabilities in specific devices by the independent security research community affects the cybersecurity of medical devices. The lack of any formal coordinated disclosure process is an obvious hole in medical device security that needs to be addressed.

Because the Working Group includes both governmental and private sector representatives, the lack of any reference to the rules regarding advisory groups is a glaring omission in this bill. Thus, the Group would again have to expend time and resources working out their rules for their meetings, including public accessibility and notifications of meetings. Again, with an 18-month time limit, they do not need that distraction.

No comments:

/* Use this with templates/template-twocol.html */