New Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle.

The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector.

More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing Act of 2015.

“It is important for medical device manufacturers and health IT vendors to consider the JSP’s voluntary framework and its associated plans and templates throughout the lifecycle of medical devices and health IT because doing so is expected to result in better security and thus better products for patients,” explained HSCC.

Cybersecurity controls can be difficult to integrate into existing processes. Organizations often fail to recognize how important security controls are, and when considering how to enhance cybersecurity many do not know where to start or have insufficient resources to devote to the task. The framework helps by providing guidance on how to create a security policy and procedures that align with and integrate into existing processes.

HSCC is urging organizations to commit to implementing the JSP as it is believed that by doing so patient safety will be improved.

The JSP can be adopted by organizations of all sizes and stages of maturity and helps them enhance cybersecurity of medical devices by addressing key challenges. Many large manufacturers have already created similar cybersecurity programs to the JSP, so it is likely to be of most use for small to medium sized companies that lack awareness of the steps to take to improve cybersecurity as well as those with fewer resources to devote to cybersecurity.

The JSP utilizes security by design principles and identifies shared responsibilities between industry stakeholders to harmonize security standards, risk assessment methodologies, reporting of vulnerabilities, and improve information sharing between device manufacturers and healthcare providers. The JSP covers the entire lifecycle of medical devices, from development to deployment, management, and end of life. The JSP includes several recommendations including the incorporation of cybersecurity measures during the design and development of medical devices, handling product complaints related to cybersecurity incidents, mitigation of post-market vulnerabilities, managing security risk, and decommissioning devices at end of life.

The Medical Device and Health IT Joint Security Plan can be downloaded on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.