Analysis: The Merits of Medical Device Security LegislationCybersecurity Expert Joshua Corman Sizes Up the Bill and Its Potential Impact
Recently proposed legislation could potentially put more pressure on manufacturers and healthcare entities to bolster efforts already underway to improve the security of medical devices, says cybersecurity expert Joshua Corman.
The Medical Device Cybersecurity Act of 2017, which was recently introduced by Sen. Richard Blumenthal, D-Conn., contains a number of provisions, including some that are similar to ongoing efforts in the healthcare sector, including work being done by the Food and Drug Administration and some recommendations that were issued earlier this year by the Department of Health and Human Services' cyber task force, notes Corman, who is a member of the task force.
"The bill caught a lot of folks flat-footed and confused because there's quite a bit in there that overlaps with what the FDA is already asking for in [its] pre- and post-market [medical device cybersecurity] guidance," Corman says in an interview with Information Security Media Group. "But that said, I think that it's a good thing to stimulate discussion.
"The act of putting [these provisions] into a bill potentially could get come good conversation ... on the record, in a hearing or other forum - some clarification on things," says Corman, who is founder of I Am The Cavalry, a grassroots, not-for-profit cyber safety organization.
In the interview (see audio link below photo), Corman also discusses:
- The merits of specific proposals in the Blumenthal legislation, including provisions addressing medical device software patches, the creation of a report card to compare the security capabilities of medical devices, and ways to bolster remote access protections of medical devices;
- Why some healthcare entities and medical device makers incorrectly interpret FDA guidance as "voluntary" guidelines that have no consequences if ignored;
- Whether the Blumenthal legislation has a shot of becoming law;
- Another legislative proposal to address the cybersecurity of the internet of things and how it relates to the proposed medical device bill.
In addition to his role at I am the Cavalry, Corman is the director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center of International Security. He is also a member of the Department of Health and Human Services' Cybersecurity Task Force. Corman formerly served as chief technology officer for Sonatype, director of security intelligence for Akamai, and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems.