Senate Finance Committee Republicans took matters into their own hands to confirm two of President Donald Trump’s nominees.

In an effort to advance Trump’s nominees for Treasury secretary and secretary of the Department of Health and Human Services–Steven Mnuchin and Congressman Tom Price–the Republicans on the panel of the Senate Finance Committee voted in a surprise meeting on Wednesday morning to change the procedural rules that outlined that Democrats must be in attendance to vote on the nominees.  With this rule change, Mnuchin and Price were approved by the committee in a 14-0 vote, allowing for the nominations to go to the full Senate for approval.

Where are @SenateFinance Dems this morning? Standing with the ppl of OH and others hurt by the abusive practices of Mnuchin’s bank. pic.twitter.com/AvLpnxyJko

— Sherrod Brown (@SenSherrodBrown) February 1, 2017

This move comes a day after Democrats on the panel of the Senate Finance Committee staged a boycott of Mnuchin and Price’s hearings, which presented an obstacle considering the standing rule was that at least one Democrat had to be present in order for any votes to take place. The boycott was led by Senators Sherrod Brown and Roy Wyden in an effort to push for more vetting of both Mnuchin and Price, both of whom the senators claim gave misleading testimonies and responses during the committee hearings about their investments and foreclosure practices, respectively.

.@sensherrodbrown on why Senate Dems boycotting Price and Mnuchin committee votes. https://t.co/qr5oT2gOHX

— Andrew Rafferty (@AndrewNBCNews) January 31, 2017

The Democratic senators outlined their concerns and request for further questioning in a letter sent to the committee’s chairman, Republican Senator Orrin Hatch, this morning.

Here are the questions @SenateFinance Democrats want answers to from Price & Mnuchin pic.twitter.com/jo2NOyq484

— Ron Wyden (@RonWyden) February 1, 2017

Talking to reporters on Tuesday afternoon, Hatch relayed his annoyance with the boycotting senators. “I’m very disappointed in this kind of crap . . . This is the most pathetic thing I’ve seen in my whole time in the United States Senate,” Hatch said.

Even after the rule change and the approval of Trump’s two nominees, Hatch still took time to go after the committee’s Democrats for their boycott, telling reporters that the boycott was “unprecedented obstruction” and a “cheap political ploy.” However, the boycott might not be as unprecedented as Hatch claims it to be, considering, as many have pointed out, the Republicans boycotted in 2013 to block the confirmation of Gina McCarthy as the head of the Environmental Protection Agency.

The rule change and verbal sparring in the media between Finance Committee members just adds to the rising tension between members of Congress. Yesterday, Senate Minority Leader Chuck Schumer voted no on the confirmation of Elaine Chao as Transportation Secretary, who is Senate Majority Leader Mitch McConnell’s wife. Earlier today, things got contentious between Democratic Senator Al Franken and GOP Senator John Cornyn during a Judiciary Committee meeting when Cornyn took exception to Franken calling out absent GOP Senator Ted Cruz. In addition, Democratic senators on the Environmental and Public Works Committee–taking a cue from their colleagues on the Finance Committee–have staged a boycott of the vote to confirm Scott Pruitt as the head of the EPA.

Al Franken calls out absent Ted Cruz & Cruz’s GOP colleague John Cornyn objects. Franken: “Well, he should be here.” pic.twitter.com/zjMBDhshnJ

— Keith Boykin (@keithboykin) February 1, 2017

And this is only Day 12 of Trump’s presidency.

Austin Elias-De Jesus

Austin is an editorial intern at Law Street Media. He is a junior at The George Washington University majoring in Political Communication. You can usually find him reading somewhere. If you can’t find him reading, he’s probably taking a walk. Contact Austin at Staff@Lawstreetmedia.com.

The post Senate Republicans Change Finance Committee Rules to Push Through Nominees appeared first on Law Street.

Medical information is usually viewed as a private affair. But due to the proliferation of technologically advanced devices–heart monitors, X-ray devices, and even fitness trackers–the ability to gain access to a person’s sensitive health information may be easier than most realize. Unsecured devices could lead to disastrous consequences, as any alteration to a patient’s device could be a life or death situation. Medical device hacking may be the largest cybersecurity threat faced by Americans in the coming years. This gigantic security concern is quietly lurking in citizens’ insulin pumps and pacemakers.

Despite having federal and state guidelines to protect and secure individually identifiable health information, accessing a person’s most detailed medical information may be as simple as pressing a few buttons. New Food and Drug Administration (FDA) guidelines issued at the end of 2016 may be able to combat easy access to medical devices, but only with cooperation from device manufacturers. There are also no current plans for enforcement of these guidelines by the FDA, as they are non-binding recommendations. Read on to learn about the security concerns presented by medical devices.

What is a Medical Device?

A medical device, as defined by the FDA, is “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory” that is used “in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.” Such devices are regulated by the FDA and may be utilized for animals as well as humans. Tongue depressors, bedpans, x-ray machines, and complex programmable pacemakers with microchip technology all fall under the broad definition of a medical device. Moreover, surgical lasers, wheelchairs, and even sutures and orthopedic pins are classified as medical devices. If the primary intended use of a product is achieved via a chemical reaction or metabolized by the body, then it will usually fall under the definition of a “drug.” The U.S. is the global leader in the medical device market, with a total market size of roughly $148 billion in 2016. The Department of Commerce determined that U.S. exports of medical devices in specific categories exceeded $44 billion in 2015. Research and development in this sector are also more than twice the average for all U.S. manufacturers.

Medical Privacy Laws

A person’s medical history is a deeply personal collection of information. Highly sensitive material ranging from mental health treatment and sexual history to genetic disorders and diseases can be contained in an individual’s medical file. Numerous laws have been passed in the U.S. on federal and state levels to ensure that Americans’ health information remains confidential and secure. The most comprehensive law ever passed in the field of medical privacy is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The act required the Secretary of the Department of Health and Human Services to develop regulations to protect the privacy and security of certain medical information. Under HIPAA, the government established national standards to protect individuals’ medical records and give patients control over who can access personal health information. Essentially, without direct patient authorization, specific entities are limited on the uses and disclosures of individuals’ medical records.

“Paper files of medical records” Courtesy of Newtown grafitti : License: (CC BY 2.0)

In 2000, the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) came into effect; the guidance comprehensively explains answers to questions about the privacy requirements of HIPAA. Generally, the Privacy Rule permits that incidental uses and disclosures are permissible only if they are a by-product of a reasonable or permissible disclosure. The rule requires covered entities to take reasonable steps to limit the use or disclosure of protected health information. It applies to health plans, health care clearing houses, and any health care provider who transmits health information in electronic form. Individually identifiable health information is information that relates to: an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for health care for the individual.

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) also established national security standards for certain health information held or transferred in electronic form. The Security Rule particularly addressed technical and non-technical safeguards that covered entities must utilize to protect individuals’ electronic protected health information (e-PHI). Entities covered by the Security Rule must ensure the confidentiality and integrity of all e-PHI being received or transmitted, as well as protect against any reasonably anticipated threats to the security or integrity of such information. Under the intricacies of HIPAA’s Privacy Rule and Security Rule, the U.S. government has clearly gone to great lengths to protect citizens’ medical records from improper use or disclosure by entities without direct patient authorization. Certain medical devices utilized today may contain information regarding a person’s medical condition that is as detailed as their medical records–what ailments a person is being treated for, or what dosage of medicine a person takes daily. Therefore, protecting these devices from unwanted intrusion and hacking should be of the utmost importance to ensure patient health and privacy.

Medical Device Security and Privacy Concerns

The FDA has been warning hospitals and health providers for years that medical devices and hospitals are vulnerable to hackers. In early 2016, the Hollywood Presbyterian Medical Center in California fell victim to a ransomware attack, which infects a computer and then encrypts files until someone pays to have it unlocked. The attackers in California held patients’ medical data hostage until the ransom was paid, roughly $17,000 in bitcoin. Ransomware also hit other hospitals around the country.

One of the largest consumer concerns regarding medical devices is that individuals can do little to protect their devices themselves. It’s up to the manufacturers of a device’s hardware and software to employ proper security measures. Another issue plaguing medical devices is that most of the laws protecting medical privacy fall under the Health and Human Services’ umbrella; however, regulating medical devices falls in part under FDA jurisdiction. The disconnect explains how the interactions between medical device regulations and privacy laws lead to administrative issues. In a cybersecurity briefing, the U.S. government warned that pacemakers were easy targets for hackers.

Furthermore, in October 2016, Johnson & Johnson notified 114,000 diabetic patients that a hacker could potentially exploit one of its insulin pumps. The pump could be attacked by either disabling the device or altering the dosage of insulin. Some medical infusion pumps in hospitals are even connected wirelessly because it makes monitoring dosages easier. Patients in the hospital could potentially have their pumps controlled remotely by a hacker, which is relatively simple to do.

While the threat to medical devices has been common knowledge for the past few years, few people have attempted to rectify the glaring holes in the current system. Security researchers have managed to remotely control medical devices including pacemakers, insulin pumps, and defibrillators. Thus, it is quite possible that hackers may start setting their sights on specific medical devices, not just entire hospital systems. U.S. officials began investigating flaws in pacemakers in August 2016, when a batch ran out of battery three months earlier than anticipated. While that particular batch simply had a rare defect that caused them to fail, the months of investigation culminated in the FDA releasing 30 pages of guidance regarding medical devices’ security flaws.

New FDA Guidelines

The FDA first issued a guidance in October 2014 that contained recommendations for manufacturers to build medical devices with cybersecurity protections. These guidelines were expanded in December 2016; however, the recommendations to manufacturers were non-binding, making the document not legally enforceable and not a particularly strong stance on securing future medical devices. As part of the new recommendations issued, the FDA encourages manufacturers to swap information with each other and consistently deploy software patches and updates to fix any security vulnerabilities. Moreover, the agency has asked manufacturers to adhere to a checklist created by the National Institute of Standards and Technology. Early product development that focuses on protecting medical devices from hackers is of the utmost importance. The FDA also suggested that manufacturers join the Information Sharing and Analysis Organization to share details about detected security risks and attacks when necessary.

Conclusion

Researchers saw a rise in the occurrences of cyberattacks on a global scale in 2016. Technological advances in medical devices certainly encourage more effective health treatment, but the increasing reliance on vulnerable software potentially puts the health of citizens at risk. Thus, implementing a structured and comprehensive plan to manage cybersecurity risks is critical. While the new FDA guidelines are a respectable start to ensuring medical devices are free from cybersecurity threats, making the recommendations mandatory as opposed to voluntary may be the only way to keep individuals’ medical information safe from prying eyes. Many contend that while the recommendations could be more stringent, this is just the first step in a long road to addressing cybersecurity in the medical field. For now, the onus remains on the manufacturers to patch detected vulnerabilities in their devices and software and develop devices safe for consumers.

Nicole Zub

Nicole is a third-year law student at the University of Kentucky College of Law. She graduated in 2011 from Northeastern University with Bachelor’s in Environmental Science. When she isn’t imbibing copious amounts of caffeine, you can find her with her nose in a book or experimenting in the kitchen. Contact Nicole at Staff@LawStreetMedia.com.

The post Privacy Concerns: Can Your Medical Device Be Hacked? appeared first on Law Street.