The US House Energy and Commerce committee is looking to the Department of Health and Human Services to shore up medical device cybersecurity, according to a report from The Hill.
Committee Chair Greg Walden (R-Ore.) sent a letter to the HHS asking it to require device makers to provide a listed bill of materials, including third-party software components, used in each of its products, according to the report.
“Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care. This lack of visibility directly affects the ability of these stakeholders to assess their levels of risk and adjust their strategies appropriately,” Walden wrote in the letter, according to The Hill.
Due to the modular nature of electronic development, both software and hardware components often feature modular designs that require updates and support from third parties outside the company that assembles devices, according to the report.
Security exploits and vulnerabilities are normally patched by manufacturers and not the original component developers. Due to the oft-long periods between manufacturing and sales of devices, problems can manifest themselves quickly upon release, according to The Hill.
In the letter, Walden references bills of materials as an important recommendation of the Health Care Industry Cybersecurity Task Force established by the HHS last year, according to the report.
“It helps solve two questions: Am I affected and where am I affected,”task force member and I Am The Cavalry device security advocacy group co-founder Josh Corman told The Hill. “This is a problem we know how to solve.”
The letter requests the HHS begin developing a plan to form a framework which would allow coordination between stakeholders in medical devices by December 15.