House Committee Calls on HHS to Enhance Security of Medical Device Components | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

House Committee Calls on HHS to Enhance Security of Medical Device Components

November 21, 2017
by Heather Landi
| Reprints
Click To View Gallery

The House Committee on Energy and Commerce is calling on the U.S. Department of Health and Human Services (HHS) to take steps to strengthen the cybersecurity of medical devices by focusing on the security of technology components.

In a letter to HHS Acting Secretary Eric D. Hargan, House Energy and Commerce Committee Chair Greg Walden (R-Ore.), as representative of the committee, requested that HHs convene a sector-wide effort to develop a plan of action for creating, deploying and leveraging “bill of materials” (BOMs) for health care technologies. BOMs are an accounting of third-party software components used in each medical device product. 

The Health Care Industry Cybersecurity Task Force recommend the use of BOMs in a report on improving cybersecurity in the healthcare industry. As envisioned in the report, a BOM would exist for each piece of medical technology and would “describe the technology’s components (e.g. equipment, software, open source, materials) as well as any known risks associated with those components,” Walden wrote in the letter.

According to the Task Force, having a “bill of materials” is key to organizations to manage their assets because they must first understand what they have on their systems before determining whether these technologies are impacted by a given threat or vulnerability. “Moreover, this transparency enables health care providers to assess the risk of medical devices on their networks, confirm components are assessed against the same cybersecurity baseline requirements as the medical device and implement mitigation strategies when patches are not available,” the Task Force wrote in the report.

In the letter to HHS, Walden noted that cyber threats to the healthcare sector are becoming more numerous, more frequent and more severe. “While the sector’s susceptibility to cyber threats has many causes, a significant and frequent source of risk is since many of the technologies leveraged by health care stakeholders are, in essence, ‘black boxes,’” Walden wrote.

Stakeholders do not know, and often have no way of knowing, exactly, what software or hardware exist within the technologies on which they reply to provide vital medical care. This lack of visibility directly affects the ability of these stakeholders to assess their levels of risk and adjust their strategies appropriately, Walden wrote.

Walden cited the recent WannaCry and NotPetya malware attacks, which relied on a vulnerability within a widely used protocol, as illustrative of the types of issues created by the “black box” nature of most modern medical technologies.

Walden also said the continued prevalence of insecure and legacy components in health care technologies posed significant risks. “While the implementation and use of BOMs will not completely protect the health care sector from cyber threats, it is an important, common-sense step towards improving the cybersecurity of the sector overall,” Walden wrote.

The House Energy and Commerce Committee's letter asks HHS to develop a plan to coordinate stakeholders in medical devices to form a framework to encourage bills of materials by Dec. 15.

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.

HHS Announces Winning Solutions in Opioid Code-a-Thon

The U.S. Department of Health and Human Services (HHS) hosted this week a first-of-its-kind two-day Code-a-Thon to use data and technology to develop new solutions to address the opioid epidemic.

In GAO Report, More Concern over VA VistA Modernization Project

A recent Government Accountability Office (GAO) report is calling into question the more than $1 billion that has been spent to modernize the Department of Veterans Affairs' (VA) health IT system.

Lawmakers Introduce Legislation Aimed at Improving Medicare ACO Program

U.S. Representatives Peter Welch (D-VT) and Rep. Diane Black (R-TN) have introduced H.R. 4580, the ACO Improvement Act of 2017 that makes changes to the Medicare accountable care organization (ACO) program.

Humana Develops Medication Management Tool

A new tool developed by Humana enables the company’s members to keep a list of their medications in one place.

Four Hospitals Piloting OurNotes Initiative in 2018

Beginning in January, four academic hospitals—Beth Israel Deaconess Medical Center in Boston, University of Washington in Seattle, Dartmouth-Hitchcock Medical Center in Lebanon, New Hampshire and University of Colorado in Boulder—will begin piloting a new digital tool called OurNotes that enables patients to contribute to their clinical notes.