The “Internet of Medical Things Resiliency Partnership Act of 2017” was introduced in the House of Representative earlier this month.  Co-sponsored by Rep. David Trott (R-MI) and Rep. Susan Brooks (R-IN), the bill would require establishment of “a working group of public and private entities to develop recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the United States that store, receive, access, or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm.”

The bill specifies that the FDA Commissioner, or a designate thereof, will chair the working group, which will include representatives of the government, industry, and academia.  In addition to the FDA, agencies identified for participation include the following:

  • The Center for Devices and Radiological Health of the FDA
  • The Office of the National Coordinator for Health Information Technology of the Department of Health and Human Services
  • The Office of Technology Research and Investigation of the Federal Trade Commission
  • The Cybersecurity and Communications Reliability Division of the Federal Communications Commission
  • The National Institute of Standards and Technology of the Department of Commerce
  • The National Cyber Security Alliance

The chairperson would be tasked with appointing at least three qualified industry representatives from the medical device, health care, technology, and software development fields.

Within 18 months of being enacted, the Committee would be charged with reporting on the following:

  1. an identification of existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to mitigate vulnerabilities in the devices described above;
  2. an identification of existing and developing international and domestic cybersecurity standards, guidelines, frameworks, and best practices that mitigate vulnerabilities in such devices;
  3. a specification of high-priority gaps for which new or revised standards are needed; and
  4. potential action plans by which such gaps can be addressed.

As part of the agency’s digital health initiatives, FDA has taken several steps in recent months to raise awareness of threats to medical device security and to work with industry to address the challenges created by networked devices in particular.  Stay tuned and we will continue to report on these developments, including the progress of H.R. 3985, here at Food & Drug Law Access.