The Internet of Medical Things Resilience Partnership Act is a U.S. House bill introduced in 2017 that proposed creating a Food and Drug Administration led public private working group to recommend voluntary frameworks and guidelines to improve the cybersecurity security and operational resilience of networked medical devices used in healthcare and by patients. The bill focused on Internet of Medical Things devices that connect to networks and exchange data, including devices used in hospitals, implanted devices, and devices used in the home, where cybersecurity weaknesses can create patient safety risks and expose electronic protected health information.
The bill described a stakeholder partnership model rather than a new mandatory federal security standard for manufacturers or providers. The proposed working group was intended to include federal participants such as the National Institute of Standards and Technology and the HHS Office of the National Coordinator for Health Information Technology, along with industry and other private sector representatives involved in medical device development, deployment, and connectivity. The work product contemplated by the bill was a set of recommendations based on existing cybersecurity frameworks and guidance, plus identification of gaps where new or revised standards could be needed.
The bill also contemplated deliverables and timelines tied to enactment, including development of recommendations and submission of a report within a defined period after the bill became law. The measure did not create HIPAA enforcement authority or modify the HIPAA Privacy Rule, HIPAA Security Rule, or HIPAA Breach Notification Rule. Healthcare organizations and Business Associates that deploy networked medical devices remain responsible for implementing administrative, physical, and technical safeguards under the HIPAA Security Rule for electronic protected health information, including risk analysis, risk management, access control, audit controls, integrity protections, and transmission security, regardless of whether a device specific voluntary framework exists.
For compliance and procurement functions, the bill is relevant as a policy signal supporting standardized device cybersecurity practices and information sharing between manufacturers, healthcare delivery organizations, and federal agencies. Security governance for Internet of Medical Things devices typically requires aligning device inventory and network segmentation practices with documented risk management, vendor oversight, patch and vulnerability management, logging and monitoring, and incident response procedures that account for device constraints and clinical safety. Contracting and implementation workflows can incorporate security requirements and documentation requests that map device capabilities and manufacturer support commitments to the organization’s HIPAA Security Rule safeguards and broader cybersecurity program controls.