Dive Brief:

• The House Energy and Commerce Committee on Friday released a report identifying strategies to strengthen the nation's defenses against cybersecurity vulnerabilities. The culmination of several years of committee work, the Cybersecurity Strategy Report draws on dozens of briefings, hearings, roundtables and other research to identify ways to address and prevent IT-related incidents.
• The report lists six priority areas for future action: widespread adoption of coordinated disclosure programs, implementing a software bill of materials across connected technologies, supporting open-source software, improving the common vulnerabilities and exposures program, implementing supported lifetimes strategies for technologies and strengthening the public-private partnership model.
• On the same day, Health Canada released its own draft guidance document on premarket requirements for medical device cybersecurity, stressing the importance of secure design, device-specific risk management, verification testing and monitoring of emerging risks.

Dive Insight:

Work on the U.S. House Energy and Commerce Committee Cybersecurity Strategy Report began after the troubled launch of healthcare.gov and a customer data breach at retailer Target at the end of 2013. Roundtables where private sector stakeholders were present in 2015 and 2016 focused on coordinated disclosure for critical sectors such as medical devices and automobiles.

In March 2017, the ransomware attack dubbed WannaCry infected hundreds of thousands of medical devices in dozens of countries with file-encrypting malware within hours. The attack crippled healthcare systems in the United Kingdom, but many organizations did not know they were exposed to the flaw. The difficult response to attacks like WannaCry is why officials think a bill of materials would help healthcare providers understand what they have on their systems and assess the risks associated with medical devices on their networks, the committee said.

The WannaCry ransomware outbreak was followed by a more destructive malware strain known as NotPetya that exploited outdated technologies, the report noted. In response, the committee in April released a formal request for information seeking input on how to address legacy technologies in the healthcare sector. The committee said it received 300 pages of comments and held a roundtable in October with healthcare industry members to discuss strategies and responsibilities for improving transparency on legacy technology risks.

Two congressional hearings in 2017 focused on the public-private partnership model as a framework for responding to technology infrastructure threats and concluded that HHS needs to remain an effective leader in improving cybersecurity. A white paper by the committee in October 2018 recommended Congress encourage organizations to adopt coordinated vulnerability disclosure programs as one way to address unknown threats.

The committee said its third priority, supporting the open-source software (OSS) ecosystem, is critical because of the growing complexity and scale of modern information systems. It cited advice from the Linux Foundation, which stated that "it is the collective responsibility—and imperative—for business, industry, academic and technology leaders to work together to ensure that OSS is written, maintained and deployed as securely as possible."

Further, the Common Vulnerabilities and Exposures (CVE) program should be a cornerstone of all organizations' cybersecurity efforts, the report said. The program, launched in 1999 and administered by the Department of Homeland Security and Mitre, provides a standardized naming scheme for cybersecurity vulnerabilities worldwide. However, an investigation by the committee found the program has struggled thus far to fulfill its purpose.

HHS plans to hold a public meeting on Feb. 25, 2019, to encourage development of the bill of materials concept.