HTM Cybersecurity Resources Page

Cybersecurity is an important topic in both the healthcare technology management (HTM) field and healthcare in general. Below is a compilation of existing medical device cybersecurity resources available today that could be of use to HTM Professionals. The goal of this resource page is to create a place where HTM professionals can easily access all of these useful resources in one place and eliminate the need for lengthy internet searches to find information. Unless specifically noted, these resources were not created or written by AAMI.

AAMI Cybersecurity Resources for HTM Professionals

Medical Device Cybersecurity - A Guide for HTM Professionals: This comprehensive guide includes chapters on cybersecurity fundamentals, the regulatory and standards environment, and inventory and configuration management. It provides examples of purchase agreements and vendor contracts, risk assessment and management practices, and cybersecurity guidance from leading healthcare systems.

Medical Connectivity FAQs: This document is intended to help healthcare technology management (HTM), information technology (IT), and facilities management professionals understand the state of wireless tools and technologies, their use in healthcare, and how they can best be managed given the disparate roles and responsibilities.

Learn the basics with AAMI Virtual Training

Medical Device Cybersecurity 101 for HTM Professionals

Is your HTM department prepared to be the first line of defense in your cyber security plan? This 3-day course gives HTM/CE professionals the knowledge and skills to plan and implement a medical device security program for their organization's needs.

Cybersecurity Information Sharing Organizations

Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO):
The HIC-MISO identifies many of the cybersecurity information sharing organizations and their key services, as health organizations are beginning to understand the importance of cybersecurity information sharing and implementing information sharing systems. HTM professionals should use this resource to better understand how all cyber information-sharing organizations work together.

National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD): The NVD is the U.S. government repository of standards-based vulnerability management data. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. HTM professionals should use the NVD to review any current or active medical device vulnerabilities.

Cybersecurity & Infrastructure Security Agency (CISA): CISA provides regular medical device vulnerability advisories. Medical device advisories are listed together with Industrial Control System Advisories but are distinguished by numbering (ICSA vs ICSMA for medical). HTM professionals should use CISA's informational page to review general medical device cyber advisories.

Healthcare and Public Health Sector Coordinating Council (HPH SCC) Joint Cyber Security Working Group (JCWG): The HPH SCC is recognized by the Secretary of Health and Human Services as the critical infrastructure industry partner with the government under Presidential Policy Directive 21 for coordinating strategic and policy approaches to preparing for, responding to, and recovering from significant cyber and physical threats to the sector. HTM Processionals should use this resource to obtain broad best practices about cybersecurity. This resource touches upon all cybersecurity and is NOT just specific to medical devices.

HTM Cybersecurity Tools and Resources

Cybersecurity & Infrastructure Security Agency (CISA) Free Vulnerability Assessment: CISA services can help the broader cybersecurity community gain visibility with vulnerability trends, adversarial activities, and, most importantly, effective mitigations to implement for better protection of their networks. HTM professionals should use this assessment, in conjunction with their cybersecurity departments, to evaluate their medical device cybersecurity program. This is a FREE tool from the government so take advantage of it!

Blog - Navigating the Library of Medical Device Security Standards: Multiple government and industry entities provide regulations and standards for securing medical devices. HTM professionals can use this blog for a quick rundown of the most commonly cited industry US standards, regulations, guidance, and alerting resources used for leading medical device security programs.

Health Information Sharing and Analysis Center (H-ISAC) - Medical Devices Cybersecurity Lifecycle Management: HTM professionals can use this as an overview of a lifecycle-based approach to managing medical device cybersecurity from the perspective of Medical Device Manufacturers and Healthcare Delivery Organizations.

ASPR TRACIE: Healthcare System Readiness and Response Considerations: The U.S. Department of Health and Human Services (HHS) Office of the Assistant Secretary for Preparedness and Response (ASPR) has sponsored the ASPR Technical Resources, Assistance Center, and Information Exchange (TRACIE) since 2015. This resource was designed to help healthcare facilities, and the systems they may be a part of, understand the roles and responsibilities of stakeholders before, during, and after a cyber incident. This document is very general and HTM Professionals should use this resource as broad guidance for how to ensure their programs are ready to respond to a cyber attack.

NIST Cybersecurity Framework Profile for Ransomware Risk Management (Preliminary Draft): HTM Professionals can use this as a guide to manage the risk of ransomware events. This includes helping to gauge an organization's level of readiness to counter ransomware threats and to deal with the potential consequences of events.
NIST Framework for Improving Critical Infrastructure Cybersecurity The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure. HTM Professionals can use this site to align their medical device cybersecurity program with a recognized industry best practices.

Health Industry Cybersecurity Information Sharing Best Practices (HIC-ISBP):
The HIC-ISBP is a best practice guide for how healthcare organizations can set up and manage cyber threat information sharing programs for their enterprise. HTM organizations should use this document to work with their cybersecurity departments to ensure they are communicating cybersecurity information appropriately.

Health Industry Cybersecurity Workforce Guide:
The HIC Workforce Guide is a tool kit for recruiting and retaining a skilled cybersecurity workforce in the healthcare sector. HTM Professionals should use this document when determining what skills a new cybersecurity employee should possess prior to hiring.

Health Industry Cybersecurity Practices (HICP):
The HICP is a four-volume publication that seeks to raise awareness on managing cyber threats and safeguarding patient safety for executives, health care practitioners, providers, and health delivery organizations, such as hospitals. HTM Professionals should use the HICP as one of their main resources for how to execute a medical device cybersecurity program. This document also breaks the guidance up by hospital size.

Medical Device and Health IT Joint Security Plan (JSP):
The JSP is a total product lifecycle reference guide to developing, deploying, and supporting cyber-secure technology solutions in the health care environment. HTM Professionals should use the JSP as one of their main manuals for how to execute a medical device cybersecurity program. This document dives into what HTM professionals should consider when bringing a new device onto the network and considerations for your implementation plan.

Model Contract Language For Medtech Cybersecurity: This Model Contract Language publication is a reference of the most commonly used cybersecurity contract terms and conditions between Healthcare Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs). It is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of HDO healthcare technologies, infrastructures, and information. The Health Sector Coordinating Council's work group “pre-negotiated” extensively over 18 months among some of the nation’s largest MDM and HDO organizations creating a resource that serves as a scalable template and maturity model for large, medium and small organizations.

International Guidance

International Medical Device Regulators Forum (IMDRF) - Principles and Practices for Medical Device Cybersecurity: This document provides fundamental concepts and considerations on the general principles and best practices to facilitate international regulatory convergence on medical device cybersecurity. This document has an international approach so terms definitions may not all be used the same way in the US. HTM Professionals should use this document cautiously realizing some terms and definitions within the document may not always align perfectly with US definitions.

Other Cybersecurity Resources: Medical Device Manufacturer Best Practices

HTM professionals should use these documents for awareness of what best practices Medical Device Manufacturers are working towards. This can help HTM professionals better manage their cybersecurity risks.

AAMI TIR97:2019 - Principles for Medical Deice Security-Postmarket risk management for Device Manufacturers: This technical information report (TIR) provides guidance on methods to perform postmarket security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971.

AAMI TIR57:2016 - Principles for Medical Device Security-Risk Management: This TIR provides guidance on methods to perform information security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971. The TIR incorporates the expanded view of risk management from IEC 80001-1 by incorporating the same key properties of Safety, Effectiveness, and Data & Systems Security with Annexes that provide process details and illustrative examples.

FDA Postmarket Management of Cybersecurity in Medical Devices: This document includes issued guidance from the Food and Drug Administration (FDA) to inform industry and FDA staff of the Agency’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices. Hospitals should use this resource as a guide to ask medical device manufacturers how they comply with the FDA guidance.

Questions?

If you need guidance around the cybersecurity of health technology, please contact HTM@aami.org for more information.