The Department of Homeland Security warned providers in July 2017 about several cybersecurity vulnerabilities in molecular imaging products manufactured by Siemens.
The vulnerabilities, which give an attacker the ability to access the devices remotely, have been found in four devices running on Windows XP and Windows 7. Siemens said it is updating the affected products and recommends running the devices on a dedicated network protected by a firewall or disconnecting the devices from the network and reconnecting only after a patch has been installed.
In August, U.S. Senator Richard Blumenthal (D-CT) introduced a new bill to the Senate that would add requirements for medical device cybersecurity, including mandated testing and better remote access protections.
The Medical Device Cybersecurity Act of 2017 seeks to improve medical device security by:
Increasing transparency of medical device security by creating a “cyber report card” for devices and mandating testing prior to sale;
Bolstering remote access protections for medical devices in and outside of the hospital;
Ensuring that crucial cybersecurity fixes or updates remain free and do not require FDA recertification;
Providing guidance and recommendations for end-of-life devices, including secure disposal and recycling instructions; and
Expanding the DHS Computer Emergency Readiness Team (ICS-CERT) responsibilities to include the cybersecurity of medical devices.
“Without this legislation, insecure and easily exploitable medical devices will continue to put Americans’ health and confidential personal information at risk,” said Sen. Blumenthal in an announcement.
The bill is supported by the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security.