Blumenthal Introduces Legislation to Protect Confidential Medical Information

[WASHINGTON, DC] – U.S. Senator Richard Blumenthal (D-CT) introduced the Medical Device Cybersecurity Act, a bill to protect patients’ sensitive medical information from hackers by providing cybersecurity protections for medical devices.

Recent high-profile ransomware attacks and large-scale privacy breaches underscore just how vulnerable some medical devices remain to cyberattacks and how some manufacturers knowingly or unknowingly continue to sell vulnerable products that fail to safeguard patient records and health. In one egregious example, researchers discovered over 1,400 vulnerabilities in a single medical device. These devices contain a wealth of confidential patient health information and can harm patients receiving treatment.

“The security of medical devices is in critical condition,” said Senator Blumenthal. “My bill will strengthen the entire health care network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”

The Medical Device Cybersecurity Act of 2017 seeks to improve medical device security by:

• Increasing transparency of medical device security by creating a cyber report card for devices and mandating testing prior to sale;

• Bolstering remote access protections for medical devices in and outside of the hospital;

• Ensuring crucial cybersecurity fixes or updates remain free and do not require FDA recertification;

• Providing guidance and recommendations for end-of-life devices, including secure disposal and recycling instructions; and

• Expanding the DHS Computer Emergency Readiness Team (ICS-CERT) responsibilities to include the cybersecurity of medical devices.

The bill is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).