Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By Alex Ruoff
May 2 — One of the founders of the Congressional Cybersecurity Caucus is looking for greater collaboration between the federal government and private companies, particularly health-care companies, to combat cybercrime.
Rep. Jim Langevin (D-R.I.) told Bloomberg BNA April 29 that he's supporting the FDA's recently proposed recommendations for medical device manufacturers on addressing cybersecurity vulnerabilities in their products. He said the draft guidance strikes the right balance between encouraging device makers to be proactive about protecting their products from cyberattacks and allowing private industry room for innovation.
“It goes along with my philosophy that the government can't solve cybersecurity on its own and private industry isn't going to solve it on its own,” Langevin said.
Langevin—who serves on the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies—said the FDA has created “a model for other agencies to follow” on promoting cybersecurity readiness in private industry. He said he's looking for other opportunities to establish similar public-private collaboration on cybersecurity issues.
Langevin's endorsement provides an influential boost for the FDA's draft guidance, which was criticized by some security researchers who referred to the agency as a “toothless dragon” for not requiring device manufacturers to include some minimal security standards in their products.
The FDA released its draft guidance in January (81 Fed. Reg. 3,803). The 25-page document includes proposed steps manufacturers should take to report their cybersecurity vulnerabilities (11 HCDR, 1/19/16).
Some lawmakers are growing concerned about the rise of ransomware attacks, which have hit the health-care industry particularly hard in recent months, Langevin told Bloomberg BNA.
Ransomware is malicious software that encrypts data on the victim's network so that it becomes inaccessible without the purchase of an electronic key that is known only to the malware's creator. Langevin said he wants the Securities and Exchange Commission to take a more active role in encouraging companies to protect their IT networks to help fend off ransomware attacks, which often start with malicious software sent by e-mail. Part of that effort will include introducing a House version of the Cybersecurity Disclosure Act.
Four hospital systems have reported being afflicted by ransomware this year, starting with Los Angeles-based Hollywood Presbyterian Hospital, which lost access to its electronic health record system for several days in February before paying $17,000 to unlock its data.
The bill, introduced in the Senate (S.2410) by Sen. Jack Reed (D-R.I.), would direct the SEC to require companies to disclose in their annual financial reports whether their corporate boards contain any cybersecurity experts.
The bill would highlight whether companies are prioritizing cybersecurity, Langevin said.
He said he also wants to start a public awareness campaign aimed at encouraging Americans to practice good cyber-hygiene. Langevin said he wants a “Smokey Bear” for cybersecurity, a nationwide advertising campaign to raise awareness of the issue.
Langevin said this campaign would include tips for avoiding malicious websites and protecting personal data from threat online.
“Fixing the problem isn't about creating more bureaucracy or layers of oversight, it's about working together to fix the problem,” he said.
Langevin isn't the only one praising the FDA for its approach to improving the cybersecurity of medical devices.
The Advanced Medical Technology Association (AdvaMed), in a letter to the FDA, praised the agency's approach and emphasized its “flexible approach.”
AdvaMed, which represents the medical device industry, asked the FDA to explain further what organizations qualify as Information Sharing and Analysis Organizations (ISAOs).
The draft guidance proposed that discovery of certain vulnerabilities won't require any new reporting to the FDA, as long as the details of those vulnerabilities are shared with an ISAO. Cybersecurity risks that never caused serious adverse events or deaths and are addressed within 30 days of the device manufacturer learning of the vulnerability won't require new reporting, as long as the manufacturer is a participating member of an ISAO and reports the vulnerability to the ISAO, the FDA said.
According to the draft guidance, ISAOs are partnerships between public and private organizations to share cybersecurity information.
AdvaMed asked the FDA to clarify how the agency will determine who is participating in an ISAO and whether device makers have to participate with a specific ISAO.
To contact the reporter on this story: Alex Ruoff in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Kendra Casey Plank at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)