The regulatory landscape for interoperability is changing, according to Mildred Segura, partner at international law firm Reed Smith
“Given the rapidly transforming nature of interoperable devices, we anticipate we will see even more activity at the federal and state level,” says Segura.
It is critical that healthcare executives stay up to date on the law. Here are some of the biggest changes to watch.
Pending legislation includes:
The bill seeks to “establish a working group of public and private entities led by the FDA to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices, and for other purposes.” The proposed team would include everything from public entities such as the FTC, the FDA, HHA, and the U.S. Department of Commerce, to medical device manufacturers, cloud-computing experts, healthcare providers and insurers, and software and hardware developers, among others. It would assemble no later than five months after enactment of the legislation.
No later than 18 months after enactment, the group would generate a report recommending voluntary frameworks and guidelines to increase security and resilience of Internet of Medical Things devices. The report will focus on: (1) existing cybersecurity standards, guidelines, frameworks, best practices; (2) existing and developing international and domestic cybersecurity standards, guidelines, frameworks, and best practices that mitigate vulnerabilities in such devices (3) identifying high priority gaps for which new or revised standards are needed and (4) potential action plans by which gaps can be addressed.
While one current bill tracker scored the legislation’s chance of passing at a mere 3%, this number is not atypical for a recently proposed bill in the first step of the legislative process, according to GovTrack.US, which tracks the United States Congress and helps Americans participate in their national legislature.
Internet of Things (IoT) Cybersecurity Improvement Act of 2017
The bill’s stated purpose is “To provide minimal cybersecurity operational standards for Internet-connected devices purchased by federal agencies.” The bill defines Internet-connected devices expansively to include any device that is capable of connecting to and has regular connection with the Internet and has computer processing capabilities that can collect, send, or receive data. Further, the bill’s fact sheet contemplates there being in excess of 20 billion Internet-connected devices by 2020. Therefore, the scope of this proposed bill goes beyond core connected devices such, as smartphones and computers, to implicate government vendors in all sectors, including the healthcare industry.
The legislation seeks to utilize the federal government’s market power to improve safety, setting guidelines for security clauses that agencies must require of vendors supplying Internet-connected devices to the federal government. These certifications would require that devices are:
2. Do not contain known vulnerabilities as per the National Institute of Standards and Technology’s National Vulnerability Database or a similar database. If a vendor identifies vulnerabilities, it must disclose them to an agency, with an explanation of why the device is nonetheless secure. If the agency is satisfied, it may still purchase the device.
3. Rely on industry standard protocols for communication, encryption, and interconnection
4. Do not contain hardcoded passwords for updates or remote access
In addition to regulating vendors, the legislation would also require each executive agency to inventory all Internet-connected devices it uses within 180 days of the legislation’s passage.
The bill remains in its early stages, as there has been no further documented activity since it was referred to the Committee on Homeland Security and Governmental Affairs on the day of its introduction, August 1, 2017, and has an estimated 13% chance of passage, according to GovTrack.US.
Given the expansive nature of this bill, its requirements could impact all healthcare vendors supplying interconnected medical devices to the federal government, says Segura.
“The bill also represents yet another signal of the Federal Government’s increasing focus on the security of Internet-connected devices. If enacted, the expectations regarding the security of Internet-connected devices as set forth in the legislation could be interpreted by courts as the minimal floor for any such device,” she says.