HSCC’s New Cybersecurity Framework for Medical Devices

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published a new cybersecurity framework for medical devices. If medical device sellers, healthcare companies, and healthcare industry stakeholders adopt the voluntary framework, they will be able to enhance the security of medical devices through their life cycle.

The HSCC is an association of critical healthcare infrastructure entities in the private sector that have worked with the government to determine and minimize the threats and vulnerabilities that the healthcare sector faces. The group consists of over 200 healthcare organizations and government institutions. They work together on creating solutions to deal with present and emerging cybersecurity risks challenging the healthcare sector. Over 80 organizations helped in developing the Medical Device and Health IT Joint Security Plan (JSP), which builds upon Healthcare Industry Cybersecurity Task Force recommendations.

Medical device suppliers and health IT vendors should adopt the JSP’s cybersecurity framework and apply its recommended plans and templates throughout the life cycle of medical devices and health IT. Doing so would result in improved security and better patient products.

HSCC is encouraging organizations to adopt the JSP to improve patient safety. Organizations of any size and level of maturity can adopt the JSP to boost cybersecurity. Many major medical device manufacturers have already created cybersecurity programs similar to the JSP, so the JSP is best suited to small and medium sized companies that do not know enough about improving cybersecurity.

The JSP uses the principle of security by design and determines shared responsibilities among industry stakeholders. The framework will help to coordinate security standards, includes risk assessment techniques, covers vulnerability reporting, and enhances information sharing between device suppliers and healthcare companies. The JSP addresses the complete life cycle of medical devices, including development, deployment, administration, to end of life. The JSP gives a number of recommendations such as incorporating cybersecurity measures during medical device design and development, dealing with product complaints linked to cybersecurity incidents, minimization of post-market vulnerabilities, controlling security risks, and decommissioning devices at end of life.

The Medical Device and Health IT Joint Security Plan is available for download here.