The House Committee on Energy and Commerce is asking the Department of Health and Human Services require that manufactures list the components and materials used in medical equipment as one way of helping ensure these devices are safe from cyberattacks.
In a letter to HHS Acting Secretary Eric Hargan on behalf of the entire committee, Rep. Greg Walden, R-Ore.,cites the WannaCry and NotPetya attacks made earlier this year as examples of malware that could have been defeated if hospitals and equipment vendors had a better idea of what components were used in their manufacture. Walden cited a report by the Health Care Industry Cybersecurity Task Force which recommended that a bill of materials (BOM) should exist for each piece of medical technology that would describe the device's components, including software, as well as, any known risks associated with those parts.
“As such, we write today to request the Department of Health and Human Services convene a sector-wide effort to develop a plan of action for creating, deploying, and leveraging BOMs for healthcare technologies. This will require an open and collaborative process to ensure that all interested stakeholders have an opportunity to contribute to this discussion in the interest of achieving the strongest and most effective solution,” Walden wrote.
As it now stands those responsible for the cyber safety of a medical device has no direct visibility into the device hindering their ability to assess levels of risk, he added.