Called the " Internet of Medical Things Resilience Partnership Act ," the measure calls for the FDA to set up a working group with other federal agencies, industry representatives, and academia to "develop recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices." The bill was introduced by representatives David Trott (R-MI) and Susan Brooks (R-IN).
"Bad actors are not only looking to access sensitive information," says Brooks, "but they are also trying to manipulate device functionality. This can lead to life-threatening cyber-attacks on devices ranging from monitors and infusion pumps, to ventilators and radiological technologies."
The working group would include representatives from the FDA, the Department of Health and Human Services (HHS), Federal Trade Commission (FTC), Federal Communications Commission (FCC), National Institute of Standards and Technology (NIST), and the National Cyber Security Alliance. The bill also calls for at least three members from each of a number of private sector areas, including medical device manufacturers, healthcare providers, insurers, and enterprise security firms, as well as hardware and software developers.
If passed, the bill would require the FDA to identify current and developing cybersecurity standards, gaps where new or revised standards are needed, and a plan to address those gaps. The agency would need to submit its results in a report to Congress within 18 months.
This is not the first legislation that focuses on medical cybersecurity. In August, the "Medical Device Cybersecurity Act of 2017" was introduced in the Senate, which would amend the Federal Food, Drug, and Cosmetic Act to provide cybersecurity protections for medical devices. The FDA itself has also been increasing its focus on device cybersecurity in recent years, and has held three public workshops on the topic and issued final guidance on pre- and postmarket cybersecurity.