A new bill called the “Internet of Medical Things Resilience Partnership Act of 2017,” H.R. 3985, was recently introduced in the House of Representatives. If passed as drafted, the bill will establish a working group of public and private entities led by the Food and Drug Administration (FDA) and National Institute of Standards and Technology (NIST) to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices. Specifically, the working group will develop “recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the U.S. that store, receive, access or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm.”

Other required members in the proposed working group include representatives from the Center for Devices and Radiological Health of the FDA, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services, the Office of Technology Research and Investigation of the Federal Trade Commission, the Cybersecurity and Communications Reliability Division of the Federal Communications Commission and the National Cyber Security Alliance.

The working group also would have at least three appointed members from the following private sector industries: medical device manufacturers, healthcare providers, health insurers, cloud computing, wireless network providers, enterprise security solutions systems, health information technology, web-based mobile application developers, software developers and hardware developers.

The group would then submit a report to Congress with the recommendations on the following:

  • existing cyber security standards, guidelines, frameworks and best practices that are applicable to mitigate vulnerabilities in medical IoT devices;
  • existing and developing international and domestic cyber security standards, guidelines, frameworks, and best practices that mitigate vulnerabilities in such devices;
  • high-priority gaps for which new or revised standards are needed; and
  • potential action plans by which such gaps can be addressed.

Thus, the bill could provide opportunity for the government and private sector to coordinate in the development of voluntary standards for information security. White and Williams will continue to monitor the progress of this legislation.

This article originally appeared on White and Williams Cyber News.


Joshua Mooney

Co-Chair of the White and Williams Cyber Law and Data Protection Group

Josh Mooney is Co-Chair of the White and Williams Cyber Law and Data Protection Group. Josh guides clients in assessing cyber risks and responding to cybersecurity incidents, including data collection and breaches, identifying exposures, complying with state and federal notification requirements, identifying and negotiating with appropriate vendors for response efforts, and negotiating resolution of matters, including litigation. He helps companies evaluate and improve their cybersecurity protocols, investigate cybersecurity incidents, and counsels companies on their legal obligations and liabilities before and after a cybersecurity incident strikes. You can contact Josh at mooneyj@whiteandwilliams.com


Submit a Comment

Your email address will not be published. Required fields are marked *