FDA’s Open Source App, NTIA on SBoMs and National Privacy?
TLP White: This week we start by examining FDA’s recent release of an open source app that aims to help healthcare delivery organizations better collect patient data. We also discuss NTIA’s effort to encourage software component transparency and open communication between healthcare entities. We end by shedding some light on a possible new push to pass federal privacy legislation in the United States.
Welcome back to Hacking Healthcare.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion from the health sector perspective, become a member of H-ISAC and receive the TLP Amber version.
Hot Links –
- FDA’s Open Source Code Facilitates Patient Data Collection. The U.S. Food and Drug Administration (“FDA”) has published open source code for its MyStudies application to provide healthcare organizations with a better way to collect patient data for clinical trials and medical studies.[1] The app allows patients to directly submit data and has the added benefit of a partitioned data storage environment that complies with the Federal Information Security Management Act and the FDA’s electronic records regulation.[2] Because it is open source, FDA hopes software developers will customize the code for their own purposes, improve upon it, and share those improvements with the public. The agency’s release of this open source code advances data integration for patient-generated health information into larger data sets.
It seems that FDA is intertwining itself with tech-related business now more than ever. We previously wrote about the agency’s recent release of a playbook for cybersecurity preparedness and incident response.[3] The playbook places a premium on security and privacy by design. We also mentioned new draft guidance FDA published to govern premarket submissions for medical devices that have a cybersecurity element.[4] FDA appears to be focusing on cybersecurity vulnerabilities in the medical space while simultaneously encouraging healthcare organizations to embrace new technology platforms to collect patient data. The agency therefore wants to harness technological advancements for healthcare delivery, but only to the extent that privacy and security concerns are at the forefront. This will continue to be a difficult but important balance to maintain.
- NTIA Embraces SBOMs to Speed Up Patch Distribution. The National Telecommunications and Information Administration (“NTIA”) has engaged medical device manufacturers and healthcare delivery organizations to participate in a proof of concept effort.[5] This effort is meant to show how these industry players can use a software bill of materials (“SBOM”) to inform one another about vulnerabilities and software updates. An SBOM is more or less an inventory of software components that make up an application, regardless of how simple or complex it may be. A useful, albeit imperfect, analogy are food labels, which show the ingredients in most of what we eat and drink. Tracking that information is essential for people with allergies, or when recalls are necessary.
Similarly, an SBOM allows organizations along the supply chain to know what software is included in the application, which in turn can help to identify vulnerable installations that need to be patched or otherwise have mitigations put into place. Because applications leverage software components that can come from many different sources, keeping track of those components can be challenging. NTIA believes that making software components known to others in a given supply chain will improve the speed and success of responses to software vulnerabilities, including in the healthcare sector.
The proof of concept is part of a broader software transparency multi-stakeholder effort being led by NTIA around SBOM’s that include other aspects such as standards, component element definition, and others[6]. Anyone interested in participating should reach out to NTIA by contacting Allan Friedman at afriedman@ntia.doc.gov.
- Congressional Shift May Signal a Privacy Push. After Democrats took control of the
House of Representatives last Tuesday, publications immediately began to speculate about their legislative priorities for the upcoming term. Some have said that among immigration, antitrust, and a number of other focuses, privacy may be a key issue for House Democrats this winter.[7] Others believe that while legislators will have differing opinions on how to shape new federal privacy legislation, this may be a potential area for bipartisanship in a Congress that will likely face challenges when it comes to compromise in the upcoming months.[8]
Ultimately, it is unclear how Congress would balance big tech and advertising companies’ concerns with sweeping privacy legislation against the United States’ desire for a comprehensive approach to privacy standards and enforcement. While some companies have advocated for greater governmental oversight on data collection and sharing practices,[9] others are apprehensive about what compliance with a broadly sweeping federal privacy statute might mean.[10] Some legislators like Sen. Ron Wyden (D-OR) have pushed for strong privacy protections for individuals online. Senator Ogden has put forth draft legislation that would set up a “Do-Not-Track” registry allowing for individuals to opt-out of online data tracking.[11] This draft bill takes cues from the European Union’s General Data Privacy Regulation, as it is grounded in consumer protection and consumer choice over online data usage.
Congress –
Tuesday, November 13:
–No relevant hearings.
Wednesday, November 14:
–No relevant hearings.
Thursday, November 15:
–No relevant hearings.
International Hearings/Meetings –
EU –
Tuesday, November 13:
–Hearing entitled, “Assessing the impact of digital transformation of health services” (EU Commission’s Expert Panel on Health).[12]
Conferences, Webinars, and Summits –
–Blended Threat Webinar Series – The Blended Threat of Electro-Magnetic Pulses (EMP) – Webinar (11/15) <https://nhisac.org/events/nhisac-events/blended-threat-webinar-series-emp/>
–Cybersecurity Summit & Expo – London, UK (11/15)
–NH-ISAC Blended Threats Exercise Series – So. CA (11/19) <https://nhisac.org/events/nhisac-events/blended-threats-exercise-series/>
–EY Cyber Rx – Cambridge, MA (11/19) < https://nhisac.org/events/nhisac-events/ey-cyber-rx/>
–2018 NH-ISAC Fall “Never Stand Alone” Summit – San Antonio, TX (11/26-30) https://nhisac.org/summits/2018-fall-summit/
–H-ISAC Radio live at Fall Summit: IAM and Portable Identity discussions, San Antonio, TX (11/28) Participation link sending in Member email.
–Medical Device Security 101 Conference – Orlando, FL (1/21/19-1/22/19) <https://nhisac.org/events/nhisac-events/medical-device-security-101-conference/>
–FIRST Symposium 2019 – London, UK (3/18/19)
<https://nhisac.org/events/nhisac-events/first-symposium-2019/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
Sundries –
—IoT Security: Why it will get worse before it gets better
<https://www.zdnet.com/article/iot-security-why-it-will-get-worse-before-it-gets-better/#ftag=RSSbaffb68>
—Finding Gold in the Threat Intelligence Rush
<https://www.darkreading.com/analytics/finding-gold-in-the-threat-intelligence-rush/d/d-id/1333224?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple>
—User Behavior Analytics Could Find a Home in the OT World of the IIoT
<https://www.darkreading.com/attacks-breaches/user-behavior-analytics-could-find-a-home-in-the-ot-world-of-the-iiot/a/d-id/1333212?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple>
—Symantec researchers dissect North Korean malware used in ATM attacks
<https://www.cyberscoop.com/lazarus-group-north-korea-atm-attacks-symantec/>
—Why NIST is so popular in Japan
<https://www.cyberscoop.com/nist-japan-workforce/>
—Health Data Breach Compromised PHI on 566K CNO Customers
<https://healthitsecurity.com/news/health-data-breach-compromised-phi-on-566k-cno-customers>
—U.S. accuses China of violating bilateral anti-hacking agreement
<https://ec.europa.eu/health/expert_panel/events_en>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.healthcareitnews.com/news/fda-unveils-open-source-code-collecting-patient-data
[2] Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541 et seq. (2012); 21 C.F.R. § 11 (2018).
[3] https://www.mitre.org/publications/technical-papers/medical-device-cybersecurity-regional-incident-preparedness-and
[4] https://www.mitre.org/publications/technical-papers/medical-device-cybersecurity-regional-incident-preparedness-and
[5] https://insidecybersecurity.com/daily-news/details-emerging-healthcare-proof-concept-group-ntia-software-transparency-initiative
[6] https://www.ntia.doc.gov/SoftwareTransparency
[7] https://www.thestreet.com/technology/with-democrats-taking-the-house-privacy-and-antitrust-are-key-issues-to-watch-14771593
[8] https://www.thestreet.com/technology/how-the-midterm-elections-affect-big-tech-14767937
[9] https://www.theverge.com/2018/10/24/18017842/tim-cook-data-privacy-laws-us-speech-brussels
[10] https://www.cnet.com/news/us-privacy-law-is-on-the-horizon-heres-how-tech-companies-want-to-shape-it/
[11] https://www.wyden.senate.gov/imo/media/doc/Wyden%20Privacy%20Bill%20Discussion%20Draft%20Nov%
201.pdf
[12] https://ec.europa.eu/health/expert_panel/events_en