FDA Should Serve as Cybersecurity Model, Lawmaker Says

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Alex Ruoff

May 2 — One of the founders of the Congressional Cybersecurity Caucus is looking for greater collaboration between the federal government and private companies, particularly health-care companies, to combat cybercrime.

Rep. Jim Langevin (D-R.I.) told Bloomberg BNA April 29 that he's supporting the FDA's recently proposed recommendations for medical device manufacturers on addressing cybersecurity vulnerabilities in their products. He said the draft guidance strikes the right balance between encouraging device makers to be proactive about protecting their products from cyberattacks and allowing private industry room for innovation.

“It goes along with my philosophy that the government can't solve cybersecurity on its own and private industry isn't going to solve it on its own,” Langevin said.

Langevin—who serves on the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies—said the FDA has created “a model for other agencies to follow” on promoting cybersecurity readiness in private industry. He said he's looking for other opportunities to establish similar public-private collaboration on cybersecurity issues.

Langevin's endorsement provides an influential boost for the FDA's draft guidance, which was criticized by some security researchers who referred to the agency as a “toothless dragon” for not requiring device manufacturers to include some minimal security standards in their products.

The FDA released its draft guidance in January (81 Fed. Reg. 3,803). The 25-page document includes proposed steps manufacturers should take to report their cybersecurity vulnerabilities (11 HCDR, 1/19/16).

Fighting Ransomware

Some lawmakers are growing concerned about the rise of ransomware attacks, which have hit the health-care industry particularly hard in recent months, Langevin told Bloomberg BNA.

Ransomware is malicious software that encrypts data on the victim's network so that it becomes inaccessible without the purchase of an electronic key that is known only to the malware's creator. Langevin said he wants the Securities and Exchange Commission to take a more active role in encouraging companies to protect their IT networks to help fend off ransomware attacks, which often start with malicious software sent by e-mail. Part of that effort will include introducing a House version of the Cybersecurity Disclosure Act.

Four hospital systems have reported being afflicted by ransomware this year, starting with Los Angeles-based Hollywood Presbyterian Hospital, which lost access to its electronic health record system for several days in February before paying $17,000 to unlock its data.

The bill, introduced in the Senate (S.2410) by Sen. Jack Reed (D-R.I.), would direct the SEC to require companies to disclose in their annual financial reports whether their corporate boards contain any cybersecurity experts.

The bill would highlight whether companies are prioritizing cybersecurity, Langevin said.

He said he also wants to start a public awareness campaign aimed at encouraging Americans to practice good cyber-hygiene. Langevin said he wants a “Smokey Bear” for cybersecurity, a nationwide advertising campaign to raise awareness of the issue.

Langevin said this campaign would include tips for avoiding malicious websites and protecting personal data from threat online.

“Fixing the problem isn't about creating more bureaucracy or layers of oversight, it's about working together to fix the problem,” he said.

Industry Comment

Langevin isn't the only one praising the FDA for its approach to improving the cybersecurity of medical devices.

The Advanced Medical Technology Association (AdvaMed), in a letter to the FDA, praised the agency's approach and emphasized its “flexible approach.”

AdvaMed, which represents the medical device industry, asked the FDA to explain further what organizations qualify as Information Sharing and Analysis Organizations (ISAOs).

The draft guidance proposed that discovery of certain vulnerabilities won't require any new reporting to the FDA, as long as the details of those vulnerabilities are shared with an ISAO. Cybersecurity risks that never caused serious adverse events or deaths and are addressed within 30 days of the device manufacturer learning of the vulnerability won't require new reporting, as long as the manufacturer is a participating member of an ISAO and reports the vulnerability to the ISAO, the FDA said.

According to the draft guidance, ISAOs are partnerships between public and private organizations to share cybersecurity information.

AdvaMed asked the FDA to clarify how the agency will determine who is participating in an ISAO and whether device makers have to participate with a specific ISAO.

To contact the reporter on this story: Alex Ruoff in Washington at aruoff@bna.com

To contact the editor responsible for this story: Kendra Casey Plank at kcasey@bna.com

Request Health Care on Bloomberg Law