Addressing Healthcare Cybersecurity

The House Energy and Commerce Committee has been actively examining healthcare cybersecurity issues to identify common factors and potential strategies.

The House Committee concludes that while healthcare cybersecurity is a complex issue with many different contributing factors, the use of legacy technologies which are typically more insecure than their modern counterparts, continues to be a root cause of many incidents and trying to find and fix vulnerabilities can be costly.

Also, given the significant costs to replace legacy technologies, manufacturers, and developers of medical technologies should be required to support these technologies as long as they are still in circulation.

However, it can be inefficient or impractical to fix vulnerabilities as this may require rewriting the chipsets, operating systems, or applications on which a technology relies. This is expensive in terms of time and the need for expert advice.

The House Energy and Commerce Committee in looking for solutions to effectively deal with healthcare cybersecurity, last April, issued a Request for Information (RFI) seeking the public’s input and feedback on cybersecurity issues.

Three organizations including Access Now, Consumers Union, and New America’s Open Technology Institute, responding to the Energy and Commerce Committee included their own ideas and thoughts in a letter sent to the Committee on June 28, 2018.

The letter pointed out that in 2016, it was revealed that an implantable heart monitor had a vulnerability that could allow access to the device where a malicious situation could result in the battery being drained, changes made to pacing, or perhaps the device would issue shocks. The company behind the device was able to issue a patch to remedy the vulnerability. This situation emphasizes the fact that ineffective or unmaintained security of healthcare devices can have grave consequences.

Secondly, manufacturers and suppliers are best situated to take responsibility for lifecycle planning and plan for obsolescence. Manufacturers who bring products to market are in the best position to understand and balance safety, security, and effectiveness throughout the useful lifetime of the device.

Thirdly, buyers, patients, and care providers must be equipped to make informed choices. Providers and manufacturers must provide buyers, patients, and caregivers with all the necessary information and mechanisms needed to facilitate informed decisions and actions to maintain product security.

Go to, Energy and Commerce Committee statement, https://energycommerce.house.gov/wp-content/uploads/2018/04/20180420Supported_Lifetimes_RFI.pdf.

Go to https://consumerunion.org/wp-content/uploads/2018/06/coalition-RFI-Response-Medical-Devices.pdf for the response.