HSCC to Issue Cybersecurity Best Practices for Medical Device Manufacturers and Healthcare Organizations

The Healthcare & Public Health Sector Coordinating Council (HSCC) will soon release voluntary cybersecurity best practices to support medical device manufacturers in their efforts to improve the security of their products and to help healthcare delivery organizations to improve their security posture. HSCC will also create a voluntary curriculum which medical schools can adopt to help them train clinicians to use medical devices, electronic health records and IT systems safely and securely.

The announcement was made at the start of October – National Cyber Security Awareness Month – along with an update about progress that has been made over the course of the past 12 months and what HSCC still hopes to accomplish. In its update, HSCC mentioned that the 2017 global cyberattacks such as the WannaCry and NotPetya malware attacks had raised awareness of the dangers of malware attacks and the considerable harm that can be caused. Several large companies suffered outages for several weeks as a result of the attacks. Luckily, the healthcare sector in the U.S. was relatively unaffected, unlike the National Health Service in the United Kingdom, which was severely affected by the attacks which took key systems out of action.

In late 2017, the Healthcare Industry Cybersecurity Task Force, which was established after the passing of the Cybersecurity Act of 2015, provided a report to Congress citing over 200 recommendations for improving cybersecurity in healthcare. Since then, many industry stakeholders have joined HSCC Cybersecurity Working Groups and Task Groups and are working toward strengthening cybersecurity in healthcare and enhancing patient privacy protections.

HSCC organized a multi-stakeholder meeting in February 2018 to enhance the coordination of projects to deal with healthcare cybersecurity issues and the HHS held a meeting of members of the HSCC Cybersecurity Working Group in June 2018 to get an update on progress and to guide future on key projects that have yet to be completed.

HSCC remarks that there is substantial momentum and to boost healthcare cybersecurity. For example, in September’s National Cyber Strategy, the Administration and Congress are now working closely with the private sector to ensure that risks to critical infrastructure, including healthcare, are effectively managed.

The Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2018 (H.R. 6378) also now includes provisions for cybersecurity and requires the HHS to inform Congress of its plan for public health preparedness and the cybersecurity threat response. HSCC also explained that a combined table-top exercise with the HHS is planned to assess the response plan for a flu epidemic and ransomware attack, were they both to occur at the same time.