HSCC releases medical device, health IT cybersecurity plan

Register now

A private-public coalition of healthcare stakeholders has issued a consensus-based guide for developing, deploying, and supporting cyber-secure medical devices and health IT across their product lifecycles.

The Joint Security Plan, developed by the Healthcare and Public Health Sector Coordinating Council, is a voluntary framework meant to improve industry-wide cybersecurity and information sharing.

“The goal of this effort was to align cybersecurity priorities and processes between medical device manufactures and healthcare providers to lower the cybersecurity risk in medical devices,” said Kevin McDonald, co-chair of the initiative and director of clinical information security at the Mayo Clinic. “By creating this alignment, we can strengthen the security of medical technology against cyber threats, improve cyber risk management within healthcare organizations, and better protect patient safety.”

According to HSCC, the JSP responds to a set of recommendations issued in June 2017 by the Health Care Industry Cybersecurity (HCIC) Task Force, which was established by the Department of Health and Human Services as directed by the Cyber Security Act of 2015.

Also See: HHS issues voluntary healthcare cybersecurity practices

While the JSP is not a standard, HSCC sees the “total product lifecycle reference guide” as a “unifying plan which medical technology companies can voluntarily commit to and healthcare providers can request from their vendors.”

Among other topics, the plan covers the following cyber areas:

  • Cybersecurity practices in design and development of medical technology products
  • Handling product complaints relating to cybersecurity incidents and vulnerabilities
  • Managing security risk management throughout the lifecycle of medical technology
  • Assessing the maturity of a product cybersecurity program

“It is intended to be globally applicable, inspire organizations to raise the bar for product cybersecurity, and is expected to evolve as product cybersecurity evolves,” states the plan. “As such, it is anticipated that there will be future iterations of the JSP and feedback on this initial version is welcome.”
Comments regarding the plan can be emailed to JSPFeedback@HealthSectorCouncil.org.

For reprint and licensing requests for this article, click here.