Public-Private Partnership Provides ‘Security Roadmap’ for Health Technology

Posted February 19, 2019

For the medical device industry, healthcare delivery organizations, and federal regulators, trying to stay ahead of evolving cyberthreats can be a struggle. To support this effort, a public-private partnership of health technology companies, healthcare systems, nonprofit organizations, and federal agencies, including the Food and Drug Administration (FDA), has published a reference guide intended to help stakeholders utilize effective cybersecurity practices during medical device development, deployment, and clinical use.

The Medical Device and Health IT Joint Security Plan (JSP), was developed as a “living document” by the Healthcare and Public Health Sector Coordinating Council (HSCC), which was established by the Department of Health and Human Services at the direction of the Cyber Security Act of 2015.

“The medical device industry recognizes that, as patient care is increasingly provided across a networked and internet-connected environment, security in turn needs to keep pace with the technological innovation that is driving patient care,” said AAMI Member Rob Suarez, director of product security at BD and co-chair of HSCC’s medical technology cybersecurity risk management task group, in a statement. “The JSP provides a scalable security roadmap for large and small manufacturers and the customers they serve.”

By leveraging this collaborative guidance, “we can help ensure the healthcare sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate,” said Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Centers for Devices and Radiological Health, in a statement.

The JSP applies the concept of “security by design,” in which cybersecurity principles should be considered and implemented at the early stages of medical device development, as well as the tenet of shared responsibility. It provides detailed guidance on the steps that organizations should take to develop and maintain secure medical devices, divided into four areas:

  1. Organization. Defines organizational roles and responsibilities, policies, and the need for personnel training.
  2. Risk Management. Includes a risk register to map potential risks, a cybersecurity management plan, and a product security risk assessment (e.g., using a common vulnerability scoring system).
  3. Design Control. For cybersecurity applications, using standards and software code testing during product development and during release to find vulnerabilities and harden the product against them. Identify, apply, and maintain software patches throughout development and release. This also includes the development and maintenance of useful security documentation.
  4. Complaint Handling and Reporting. Describes how to gather feedback on cybersecurity performance after the launch of a product (e.g., vulnerability disclosures, product security risk assessment, patch management, end of life support).

In addition, the JSP includes an assessment tool for organizations involved in the design, development, production, deployment, service, or support of medical devices and healthcare information technology to track their progress in conforming with the plan. For example, “reporting considerations” related to complaint handling would receive a maturity level of two (“managed”) if plans are established to ensure that “[JSP] framework components are performed, measured, and controlled with routine visibility provided to management.” The organization can then set a target date to move up to higher levels of maturity for that segment, which would include collecting performance metrics and developing improvement plans, among other considerations.

“We are proud of partnership and alliances that demonstrate the far-reaching potential of collaboration across the public and private sector,” Schwartz said. “Securing medical devices from cybersecurity threats cannot be achieved by the FDA on its own. That’s why the FDA has long been committed to working hard with various stakeholders like the HSCC to stay a step ahead of constantly evolving cybersecurity vulnerabilities.”

The HSCC is seeking feedback on the JSP at