- The public-private sector Healthcare and Public Health Sector Coordinating Council (HSCC) has released the Medical Device and Health IT Joint Security Plan (JSP), which contains recommendations for managing medical device security in clinical practice.
Developed over the past year, the plan is a reference guide for developing, deploying, and supporting secure medical devices and health IT products in the healthcare environment. The plan was developed by medical device manufacturers, healthcare IT vendors, healthcare providers, and the federal government.
The JSP developed from a set of recommendations issued in June 2017 by the Health Care Industry Cybersecurity (HCIC) Task Force, which urged increasing the security and resilience of medical devices and health IT. The HCIC was established by HHS at the direction of the Cyber Security Act of 2015.
“You have the three major stakeholders [device makers, healthcare providers, and the FDA] in this process with an incentive to find a solution that is scalable, from small to mid-sized hospital organizations and medical device makers, to the much larger, more sophisticated national and global entities,” HSCC Executive Director for Cybersecurity Greg Garcia told sister publication HealthITSecurity.com.
The JSP employs security-by-design principles throughout the product lifecycle of medical devices and health IT products. It identifies the shared responsibility between industry stakeholders to coordinate security-related standards, risk assessment methodologies, and vulnerability reporting requirements to improve information sharing between device manufacturers and healthcare organizations.
The plan lays out a structured cyber risk management framework that details what the medical device community and healthcare providers are responsible for when it comes to medical device security, Garcia explained.
The JSP was produced by the medical device security task force of HSCC’s Joint Cyber Security Working Group. That task force was co-chaired by Mayo Clinic Director of Clinical Information Security Kevin McDonald, BD Director of Product Security Rob Suarez, and FDA Senior Project Manager Aftin Ross.
“The goal of this effort was to align cybersecurity priorities and processes between medical device manufactures and healthcare providers to lower the cybersecurity risk in medical devices. By creating this alignment, we can strengthen the security of medical technology against cyber threats, improve cyber risk management within healthcare organizations, and better protect patient safety,” said McDonald.
The JSP will be updated as required to adapt to the changing threat environment for medical devices and health IT technologies.
“The medical device industry recognizes that, as patient care is increasingly provided across a networked and internet-connected environment, security in turn needs to keep pace with the technological innovation that is driving patient care,” said BD Director of Product Security Rob Suarez. “The JSP provides a scalable security roadmap for large and small manufacturers, and the customers they serve.”
The plan includes:
- Cybersecurity best practices in design and development of medical technology products
- Methods to handle product complaints about cybersecurity incidents and vulnerabilities
- Security risk management throughout the lifecycle of medical technology
- Maturity assessments of a product cybersecurity program
Effective cybersecurity needs to be integrated into an organization’s quality system processes and throughout the various stages of the commercialization process, the plan stressed.
“Securing medical devices from cybersecurity threats cannot be achieved by the FDA on its own,” commented Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health.
“That’s why the FDA has long been committed to working hard with various stakeholders like the HSCC to stay a step ahead of constantly evolving cybersecurity vulnerabilities. In this way, we can help ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate,” Schwartz said.