A new bill called the “Internet of Medical Things Resilience Partnership Act of 2017,” H.R. 3985, was recently introduced in the House of Representatives. If passed as drafted, the bill will establish a working group of public and private entities led by the Food and Drug Administration (FDA) and National Institute of Standards and Technology (NIST) to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices. Specifically, the working group will develop “recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the U.S. that store, receive, access or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm.”
Other required members in the proposed working group include representatives from the Center for Devices and Radiological Health of the FDA, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services, the Office of Technology Research and Investigation of the Federal Trade Commission, the Cybersecurity and Communications Reliability Division of the Federal Communications Commission and the National Cyber Security Alliance.
The working group also would have at least three appointed members from the following private sector industries: medical device manufacturers, healthcare providers, health insurers, cloud computing, wireless network providers, enterprise security solutions systems, health information technology, web-based mobile application developers, software developers and hardware developers.
The group would then submit a report to Congress with the recommendations on the following:
- existing cyber security standards, guidelines, frameworks and best practices that are applicable to mitigate vulnerabilities in medical IoT devices;
- existing and developing international and domestic cyber security standards, guidelines, frameworks, and best practices that mitigate vulnerabilities in such devices;
- high-priority gaps for which new or revised standards are needed; and
- potential action plans by which such gaps can be addressed.
Thus, the bill could provide opportunity for the government and private sector to coordinate in the development of voluntary standards for information security. White and Williams will continue to monitor the progress of this legislation.
If you have any questions, you may contact Joshua Mooney (mooneyj@whiteandwilliams.com, 215.864.6345) Jay Shapiro (shapiroj@whiteandwilliams.com, 212.714.3063) or Rick Borden (bordenr@whiteandwilliams.com, 212.631.4439) of White and Williams’ Cyber Law and Data Protection Group.