Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices for medical device manufacturers and healthcare provider organizations to help them improve their security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way.

The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete.

HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the National Health Service in the UK was badly affected and had its systems crippled.

Later in 2017, the Healthcare Industry Cybersecurity Task Force, which was set up following the passing of the Cybersecurity Act of 2015, submitted a report to Congress that included more than 200 recommendations for improving healthcare cybersecurity and preventing cyberattacks on healthcare organizations from succeeding.

Since the report was released, scores of healthcare industry stakeholders have joined the HSCC Cybersecurity Working Groups and Task Groups and have been working toward strengthening cybersecurity in the healthcare industry and improving privacy protections for patients.

HSCC held a multi-stakeholder meeting in February 2018 to improve coordination of efforts to address cybersecurity challenges and the HHS held a meeting in June 2018 where members of the HSCC Cybersecurity Working Group provided an update on progress and received further direction on key priorities.

HSCC notes that there is considerable momentum and great strides are being taken to improve healthcare cybersecurity. As detailed in September’s National Cyber Strategy, policymakers within the Administration and Congress are addressing cybersecurity threats and state that the government will work closely with the private sector to manage risks to critical infrastructure, including healthcare.

The Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2018 (H.R. 6378) now contains cybersecurity provisions and requires the HHS to submit its strategy to Congress for public health preparedness and response to address cybersecurity threats. A joint table-top exercise will also be conducted with the HHS covering a simultaneous flu pandemic and cascading ransomware attack.

“We recognize that patient safety has taken on a new dimension that demands our attention – the recognition that patient security requires cybersecurity,” explained HSCC. “The health sector is now organized and working to fortify the industry’s immune system against a cyber epidemic that has become as infectious as a human epidemic.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.