Earlier this month Rep. Trott (R,MI) introduced HR 3985, the
Internet of Medical Things Resilience Partnership Act of 2017. The bill would establish
a working group of public and private entities led by the Food and Drug
Administration to recommend voluntary frameworks and guidelines to increase the
security and resilience of Internet of Medical Things devices.
The Working Group
The Working Group would be chaired by the FDA Commissioner.
The other members would represent {§2(b)(3)}:
• The Center for Devices and Radiological
Health of the Food and Drug Administration;
• The Office of the National
Coordinator for Health Information Technology of the Department of Health and
Human Services;
• The Office of Technology Research
and Investigation of the Federal Trade Commission;
• The Cybersecurity and Communications
Reliability Division of the Federal Communications Commission;
• The National Institute of
Standards and Technology of the Department of Com1merce; and
• The National Cyber Security Alliance
Additionally, the Chair would appoint three members each
from the following private sector groups {§2(b)(4)}:
• Medical device manufacturers;
• Health care providers;
• Health insurance providers;
• Cloud computing;
• Wireless network providers;
• Enterprise security solutions
systems;
• Health information technology;
• Web-based mobile application developers;
• Software developers; and
• Hardware developers.
The Group would have 18 months to prepare a report to
Congress that provides recommendation that {§2(c)}:
• An identification of existing
cybersecurity standards, guidelines, frameworks, and best practices that are
applicable to mitigate vulnerabilities in the devices described in subsection
(a);
• An identification of existing and
developing international and domestic cybersecurity standards, guidelines,
frameworks, and best practices that mitigate vulnerabilities in such devices;
• A specification of high-priority
gaps for which new or revised standards are needed; and
• Potential action plans by which
such gaps can be addressed.
Moving Forward
While Trott is not a member of the House Energy and Commerce
Committee (the Committee to which this bill was assigned for consideration),
his co-sponsor, Rep. Brooks (R,IN) is. This means that it is possible that this
bill may be considered in Committee.
I see nothing in the bill that would engender any specific
opposition, so the bill would probably draw at least some bipartisan support
and could pass in Committee and on the floor. It would all depend on how much
leadership support could be generated for the consideration of this bill.
Commentary
Congress frequently uses these types of study committees to
develop workable solutions to complex technical problems. Unfortunately, there
is no guarantee that the solutions prepared by such a working group would ever
actually be considered by Congress, or converted into a legislative proposal
for regulating the cybersecurity of medical devices.
The lack of any real definitions of terms or the extent of
the problem provides the Group with a rather wide mandate. This could be a good
thing, but it is more likely to dilute the energy of the group into spending
too much time in defining the scope of the problem rather than working on
proposals to solve the problem.
Finally, I see two major shortcomings; gaps in the proposed
membership, and the lack of organizational details.
On the membership issue, it is clear to me that ICS-CERT
should have been included in the list of government agencies that should be
represented in the Working Group. That and the lack of inclusion of security
researchers would seem to indicate that Trott and Brooks (and more likely,
their staffs) are deliberately ignoring the problem of the identification of
security vulnerabilities in specific devices by the independent security
research community affects the cybersecurity of medical devices. The lack of
any formal coordinated disclosure process is an obvious hole in medical device
security that needs to be addressed.
Posts
No comments:
Post a Comment