Cybersecurity

House Energy and Commerce nudges HHS to secure supply chain security

A House committee is asking the Department of Health and Human Services (HHS) to secure the cybersecurity of medical devices by shoring up supply chains.

House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) sent a letter on behalf of the committee to HHS asking the agency begin requiring device makers to list bills of materials — an accounting of third-party software components used in each product. 

“Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care,” the letter reads.

“This lack of visibility directly affects the ability of these stakeholders to assess their levels of risk and adjust their strategies appropriately,” he wrote.

Bills of materials are a popular request among device advocacy groups, both for medical tools and beyond.

{mosads}

Most software includes several code snippets designed and updated by third parties and most hardware is comprised of modular components designed by someone other than the firm assembling the device. Security flaws in these components are often patched by their manufacturers but not by the companies using the components in their own devices. 

The problem often manifests when a device is manufactured long before it is sold. 

The letter references bills of materials as a key recommendation of the Health Care Industry Cybersecurity Task Force established by HHS in 2016. 

Josh Corman, who served on the task force and co-founded the device security advocacy group I Am The Cavalry, told The Hill that bills of materials could be extremely helpful in patient care.

“It helps solve two questions: Am I affected and where am I affected?” he said.

Corman pointed to the Hollywood Presbyterian Medical Center attack in 2016 as an example of a threat that the paperwork could have helped thwart. The hospital lost control of its computer systems until it paid what it said was a $17,000 ransom.

The malware used in the attack took advantage of a bug in a third-party component of a piece of hospital software. The FBI had even sent out warnings that the bug existed. Had the hospital known about the third-party components in its software, Corman said the hospital could have played an active role in making sure those systems stayed secure.

“This is a problem we know how to solve,” said Corman, who noted that bills of materials were standard in the automotive industry.  

The House Energy and Commerce Committee’s letter asks HHS to develop a plan to coordinate stakeholders in medical devices to form a framework to encourage bills of materials by Dec. 15.

Updated: 5:10 p.m.