January 17, 2020

January 17, 2020

Subscribe to Latest Legal News and Analysis

January 16, 2020

Subscribe to Latest Legal News and Analysis

January 15, 2020

Subscribe to Latest Legal News and Analysis

House Asks HHS to Develop Health Care Cyber Risk Plan

Last week, the Chairman on the House of Representatives’ Committee on Energy and Commerce, Greg Walden (R-OR), sent a formal letter to the Dept. of Health and Human Services (“HHS”) requesting that HHS “develop a plan of action for creating, deploying, and leveraging [bill of materials] for health care technologies.” Walden gave HHS until December 15th to respond with a plan of action. This development is important for hospitals and other health care organizations because it could indicate that HHS may begin to prioritize examining (and/or enforcing existing requirements, such as the HIPAA risk analysis provisions in 45 C.F.R. § 164.308(a)(1)), related to the formal processes in which such organizations engage to identify and mitigate potential risks and vulnerabilities.

A bill of materials (“BOM”) is a list of each component, including software components, and any known risks associated with a component of a piece of medical technology.   The idea behind the request is that a BOM could potentially provide visibility on cybersecurity risks for health care organizations that use such technologies. Healthcare organizations, such as hospitals, may then use the BOM to assess and mitigate their own cybersecurity risks.

Citing many recent cybersecurity attacks against both hospitals and medical devices, Walden stated that it is important to elevate “the security posture of health care organizations,” by providing visibility into the products and systems the organization uses. Walden also pointed to similar recommendations made in the recent Health Care Industry Cybersecurity Task Force report and concerns raised by the WannaCry and NotPetya ransomware attacks (both of which we have covered extensively in the past – click herehere and here). Health care organizations will use this increased visibility to “assess their levels of risk and adjust their [cybersecurity risk management] strategies appropriately.” Health care organizations would then use the BOM to assess the risk of medical devices and other pieces of technology on their networks and implement any necessary mitigation strategies.

The natural outcome of greater transparency into risks is the impetus to mitigate the risks. This is important for hospitals and other health care organizations to keep in mind as the outcome of Walden’s request moves through HHS and its related agencies. Medical device manufacturers must already perform systematic risk management activities and keep records of the components that are used in their devices. “Covered Entities” and “Business Associates” subject to the HIPAA Security Rule must likewise conduct risk analyses and periodic evaluations of security efforts (see, for example, 45 C.F.R. §§ 164.308(a)(1) & 164.308(a)(8)). However, managing cybersecurity risks inherent in the interactions between medical devices, the resident IT systems, and operators could prove to be a larger task for health care organizations.

© Copyright 2020 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively...

202-457-6407
Sarah H. Stec, Squire Patton Boggs, International Regulations Lawyer, Life Sciences Attorney
Associate

Sarah is an associate in the Healthcare Practice in Washington DC. She has experience in assisting healthcare and life sciences companies understand new and evolving regulatory duties, including how those international regulations can work together as well as providing guidance on international corporate accreditation and regulatory issues.

202 457 6304