Health Industry Publishes Guide for Medical Device and Health IT Security
Washington, DC – March 15, 2024 – The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group today published updated recommendations for manufacturing and managing the security of medical devices for clinical practice. Refined over the past year, the “Medical Device and Health IT Joint Security Plan (JSP) 2.0” offers important updates and a major refresh of the original JSP published in 2019. JSP is a total product lifecycle reference guide to developing, deploying and supporting cyber secure technology solutions in the health care environment. The JSP utilizes “secure-by-design” and “secure-by-default” principles throughout the product lifecycle of medical devices and health IT solutions.
JSP 2.0 additionally makes a significant step towards goals #6 and #7 of HSCC’s five-year Health Industry Cybersecurity Strategic Plan (HIC-SP). To meet the HIC-SP goals for secure development and use of medical technology in the clinical environment, the JSP identifies the shared responsibility between industry stakeholders to harmonize security related standards, risk assessment methodologies & vulnerability reporting requirements as a total lifecycle roadmap for medical technology manufacturers and health provider organizations.
“Since the JSP was first published in 2019, there has been a growth in attention to its continuing imperative that manufacturers build security into the total lifecycle of medical devices, and that their customers expect it,” said Greg Garcia, Executive Director of HSCC. “Indeed, the JSP was prepared by an influential cross section of health providers and device manufacturers, as well as FDA, as a living document that should be updated as threats, practices, and policy evolve.”
The JSP responds to a set of recommendations issued in June 2017 by the Health Care Industry Cybersecurity (HCIC) Task Force, which urged strong efforts toward increasing the security and resilience of medical devices and health IT. The HCIC was established by the Department of Health and Human Services at the direction of the Cyber Security Act of 2015.
Debra Bruemmer, Senior Director of Clinical Security, MedSec (formerly Senior Manager, Office of Information Security, Mayo Clinic), and co-chair of the initiative said, “Patient safety is the top priority for both hospitals and medical device manufacturers. One aspect of patient safety involves taking actions to protect against cybersecurity threats. The JSP emphasizes these actions as a shared responsibility. It guides manufacturers toward how to build security into products and assess and communicate security vulnerabilities throughout a device’s lifecycle. To leverage the actions of manufacturers, hospitals need to have processes to handle vulnerability disclosures, apply software patches and plan for products reaching end of support. Ultimately, it is the patient who benefits from these joint efforts.”
Chris Reed, Vice President of Product Security, Medtronic, and co-chair of the initiative said, “Medical device product security programs are critical to patient safety and product quality, which is why the updated JSP focused on organizing important content so it’s easy to use and reference. Most notably, this resource was developed in partnership with Healthcare Delivery Organizations to ensure the voice of the customer is represented in the product security activities detailed in the document. This resource can help medical device manufacturers of all sizes understand and mature product security activities that help ensure the delivery of safe, secure and effective products. I have personally leveraged the JSP since its initial release to build and mature medical device product security programs and am excited for more organizations to utilize it.”
Aftin Ross Ph.D., deputy director for the Office of Readiness and Response at the FDA’s Center for Devices and Radiological Health, Office of Strategic Partnership and Technology Innovation said, “The FDA’s partnership with HSCC in developing the JSP is another step among regulators, industry and the healthcare sector to help manage cybersecurity threats related to medical devices.” Dr. Ross, a co-chair of the initiative added, “This collaboration aligns with the FDA’s regulatory work to assure that patients and providers have timely and continued access to safe, effective and high-quality medical devices.”
Other freely-available related HSCC publications include: MedTech Vulnerability Communications Toolkit; Managing Legacy Technology Security; and Model Contract for Medtech Cybersecurity.
To provide feedback on the Joint Security plan: JSPFeedback@HealthSectorCouncil.org.
About the HSCC
The Healthcare and Public Health Sector Coordinating Council (HSCC) is a coalition of private-sector critical healthcare infrastructure entities organized under the National Infrastructure Protection Plan to partner with and advise the government in the identification and mitigation of strategic threats and vulnerabilities facing the sector’s ability to deliver services and assets to the public. The HSCC Cybersecurity Working Group (CWG) is the largest HSCC working group of almost 450 healthcare providers, pharmaceutical and medtech companies, payers and health IT entities partnering with multiple federal, state, international, and local government agencies to identify and mitigate cyber threats to health data and research, systems, manufacturing and patient care. The CWG membership collaboratively develops and publishes freely-available healthcare cybersecurity best practices and policy recommendations, and produces outreach and communications programs emphasizing the imperative that cyber safety is patient safety.
The JSP Task Group was co-chaired by Chris Reed of Medtronic, Debra Bruemmer of MedSec (initially of Mayo Clinic), and Aftin Ross of FDA. In 2019 the HSCC Joint Cybersecurity Working Group established the JSP Task Group, which included more than 200 medical device and health IT companies, direct patient care entities, plans and payers, labs, blood and pharmaceutical companies. The task group oversaw the development of the first version of the JSP and the partnership with the Medical Device Innovation Consortium (MDIC) and Booz Allen Hamilton to prepare a benchmarking report about progress in medical device cybersecurity.
For more information about the HSCC Joint Cybersecurity Working Group visit https://HealthSectorCouncil.org.