Changes to federal, state interoperability legislation: What to know

The regulatory landscape for interoperability is changing, according to Mildred Segura, partner at international law firm Reed Smith

Segura

“Given the rapidly transforming nature of interoperable devices, we anticipate we will see even more activity at the federal and state level,” says Segura.

It is critical that healthcare executives stay up to date on the law. Here are some of the biggest changes to watch.

Federal legislation

Pending legislation includes:

Internet of Medical Things Resilience Partnership Act of 2017

The bill seeks to “establish a working group of public and private entities led by the FDA to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices, and for other purposes.” The proposed team would include everything from public entities such as the FTC, the FDA, HHA, and the U.S. Department of Commerce, to medical device manufacturers, cloud-computing experts, healthcare providers and insurers, and software and hardware developers, among others. It would assemble no later than five months after enactment of the legislation.

No later than 18 months after enactment, the group would generate a report recommending voluntary frameworks and guidelines to increase security and resilience of Internet of Medical Things devices. The report will focus on: (1) existing cybersecurity standards, guidelines, frameworks, best practices; (2) existing and developing international and domestic cybersecurity standards, guidelines, frameworks, and best practices that mitigate vulnerabilities in such devices (3) identifying high priority gaps for which new or revised standards are needed and (4) potential action plans by which gaps can be addressed.

While one current bill tracker scored the legislation’s chance of passing at a mere 3%, this number is not atypical for a recently proposed bill in the first step of the legislative process, according to GovTrack.US, which tracks the United States Congress and helps Americans participate in their national legislature.

Internet of Things (IoT) Cybersecurity Improvement Act of 2017

The bill’s stated purpose is “To provide minimal cybersecurity operational standards for Internet-connected devices purchased by federal agencies.” The bill defines Internet-connected devices expansively to include any device that is capable of connecting to and has regular connection with the Internet and has computer processing capabilities that can collect, send, or receive data. Further, the bill’s fact sheet contemplates there being in excess of 20 billion Internet-connected devices by 2020. Therefore, the scope of this proposed bill goes beyond core connected devices such, as smartphones and computers, to implicate government vendors in all sectors, including the healthcare industry. 

The legislation seeks to utilize the federal government’s market power to improve safety, setting guidelines for security clauses that agencies must require of vendors supplying Internet-connected devices to the federal government. These certifications would require that devices are:

1.     Patchable

2.     Do not contain known vulnerabilities as per the National Institute of Standards and Technology’s National Vulnerability Database or a similar database.   If a vendor identifies vulnerabilities, it must disclose them to an agency, with an explanation of why the device is nonetheless secure. If the agency is satisfied, it may still purchase the device.

3.     Rely on industry standard protocols for communication, encryption, and interconnection

4.     Do not contain hardcoded passwords for updates or remote access

In addition to regulating vendors, the legislation would also require each executive agency to inventory all Internet-connected devices it uses within 180 days of the legislation’s passage.

The bill remains in its early stages, as there has been no further documented activity since it was referred to the Committee on Homeland Security and Governmental Affairs on the day of its introduction, August 1, 2017, and has an estimated 13% chance of passage, according to GovTrack.US.

Given the expansive nature of this bill, its requirements could impact all healthcare vendors supplying interconnected medical devices to the federal government, says Segura.

“The bill also represents yet another signal of the Federal Government’s increasing focus on the security of Internet-connected devices.  If enacted, the expectations regarding the security of Internet-connected devices as set forth in the legislation could be interpreted by courts as the minimal floor for any such device,” she says.

Next: State legislation

State legislation

Legislation also has been introduced at the state level. For example, in California, Senate Bill 327 was introduced earlier this year in response to security and privacy concerns posed by Internet-connected devices sold to consumers.  Although the bill was later referred to the inactive file due to opposition, it sought to require manufacturers that sell or offer to sell a connected device defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to:

•  Equip devices with appropriate security features;

• Disclose whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive user information

• Obtain consent for consumer data collection; and

• Notify consumers of security patches.Given the bill’s broad scope, it arguably swept in healthcare manufacturers selling consumer devices capable of collecting among other things, biometric and health related information.  While the bill is no longer being actively considered, it is yet another example of the increasing attention being paid to the safety and security of Internet-connected devices of which we’re likely to see more of in 2018.

Security a top concern

Segura stresses that no interoperable device can be made 100% safe, but because of the potential risks, especially the risk of patient harm, now more than ever there is emphasis on securing devices on at the design and development phase.

“This poses many challenges, especially considering the use of legacy systems and the length of the design and development cycle for many interoperable devices,” she says.

Healthcare executives will be expected to implement measures to ensure they are using interoperable devices safely, and using devices which comply with the industry standard. 

“The problem, however, is there is currently no clear industry standard for reasonable security measures,” Segura says. “Instead, there is an alphabet soup of agencies increasingly focused on cybersecurity, all releasing their own nonbinding guidance on how to assess and respond to vulnerabilities. These agencies are also pressuring the industry to come up with their own standards. The result is the industry is left without any consistent guidance as to what is reasonable. Further, as noted in the federal government’s Health Care Industry Cybersecurity Task Force’s June 2017 report, there are gaps in the current regulatory framework.”

For examples, she points to the FDA’s Guidance on Design Considerations and Pre-Market Submission Recommendations for Interoperable Medical Devices, which  identifies specific considerations when developing and designing interoperable medical devices.

“This guidance, however, is focused on device safety and device manufacturers, not hospitals,” Segura says. “HHS, whose purview is patient privacy, regulates hospitals and other ‘covered entities,’ which may not include device manufacturers.”