上周,the Health Care Industry Cybersecurity (HCIC) Task Force (the "Task Force") published a预发布副本of its report on improving cybersecurity in the health care industry.  The Task Force was established by Congress under the Cybersecurity Act of 2015.  The Task Force is charged with addressing challenges in the health care industry "when securing and protecting itself against cybersecurity incidents,whether intentional or unintentional."

The Task Force released its report mere days before the first worldwide ransomware attack,通常被称为“wannacry”,发生在5月12日。据认为,迄今为止,该恶意软件已经在150个司法管辖区感染了30多万台计算机。在攻击之后,the U.S.Department of Health and Human Services (HHS) sent a series of emails to the health care sector,including a statement that government officials had "received anecdotal notices of medical device ransomware infection."  HHS warned that the health care sector should particularly focus on devices that connect to the Internet,在Windows XP上运行,or have not been recently patched.  As in-house counsels understand,the ransomware attack raises a host of legal issues.  For example,a最近卡温顿警报vwin真人视讯解决赎金攻击的保险范围。

及时,HCIC的报告称网络安全是“需要立即和积极关注的关键公共卫生问题”。工作组确定了六个高级别的必要条件,and for each imperative,提供了几个建议。

The imperatives are as follows:

  1. Define and streamline leadership,治理,以及对医疗保健行业网络安全的期望。
  2. 提高医疗器械和健康IT的安全性和弹性。
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. 确定保护研发工作和知识产权免受攻击或暴露的机制。
  6. Improve information sharing of industry threats,weaknesses,and mitigations.

关于医疗器械(强制性2)the Task Force specifically advocates for greater transparency regarding third party software components.  The report encourages manufacturers and developers to create a "bill of materials" that describes its components,以及对这些组件的已知风险,to enable health care delivery organizations to move quickly to determine if their medical devices are vulnerable.  Furthermore,the Task Force writes that product vendors should be transparent about their ability to provide IT support during the lifecycle of a medical device product.  The Task Force also recommends that health care organizations ensure that their systems,policies,流程说明了对医疗器械的可用更新和IT支持的实施,such as providing patches for discovered vulnerabilities.  The report suggests that government and industry "develop incentive recommendations to phase-out legacy and insecure health care technologies."

工作组还鼓励医疗器械制造商实施“设计安全”,包括在整个产品生命周期内优先考虑更高的安全风险管理,such as through adding greater testing or certification.In addition,the report encourages both developers and users to take actions that improve security access to information stored on devices,例如通过多因素认证。工作组建议政府机构,比如美国食品药品监督管理局(FDA)和卫生和公众服务部国家卫生信息技术协调员办公室(ONC)consider using existing authorities to "catalyze and reinforce activities and action items" associated with this recommendation.  This includes leveraging existing government guidance and industry standards,like FDA's期货市场andpostmarketcybersecurity guidance documents.  Published in 2014 and 2016,这些文件建议“制造商应监控,identify,并将网络安全漏洞和漏洞利用作为[安全开发生命周期]的一部分加以解决“我们之前讨论过这些指导文件。在这里and在这里.

Finally,the Task Force recommends that the health care industry take a "long-range approach" to considering "viability,effectiveness,安全性,以及“医疗器械”的可维护性。工作组指出,每种产品都应该有一个明确的战略和设计,在产品生命周期的每个阶段都支持网络安全。特别是,the Task Force encourages HHS to evaluate existing authorities to conduct cybersecurity surveillance of medical devices.