Feb 142019

Health Sector Council Released Cybersecurity Recommendations for Medical Devices and Health IT

Kate Heinzelman and Nancy K. Stade
, , , , ,

On January 28, 2019, the Healthcare and Public Health Sector Coordinating Council released the “Medical Device and Health IT Joint Security Plan” (“JSP” or “Plan”)—cybersecurity recommendations for medical device manufacturers, healthcare information technology vendors, and healthcare providers.  U.S. Government entities, including the FDA, participated in the development of the Plan.   The JSP comes close on the heels of the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a similar effort by a public-private partnership to provide cybersecurity guidance to healthcare industry stakeholders.

The JSP is an outgrowth of the work of the Health Care Industry Cybersecurity Task Force, a body Congress established in the Cybersecurity Act of 2015 to identify cybersecurity challenges facing the healthcare industry.  The Task Force’s 2017 report identified a need to “[i]ncrease the security and resilience of medical devices and health IT.”  The JSP is an effort to respond to that call.  The Healthcare & Public Health Sector Coordinating Council, which released the JSP, is a public private partnership organized to partner with governmental entities pursuant to Presidential Policy Directive 21.

The JSP is a “consensus-based total product lifecycle reference guide”—and “not a regulatory document” or a “standard.”  The Plan is intended to cover all stages of medical technology development and deployment, from design and development, to handling product complaints, to managing ongoing security risks, and assessing and improving the maturity of a product cybersecurity program.

The JSP framework includes the following primary components:

  • Risk Management. The JSP explains that “risk assessment is an integral component of overall product risk management.”  It recommends that entities (including manufacturers, vendors, and customers) maintain “risk registers” to “report on efforts across the framework activities, track remediation, and map new known vulnerabilities or potential risks.”  The JSP also recommends a cybersecurity management plan to track “how cybersecurity will be managed throughout the product lifecycle.”  Other recommended components of risk management include product security risk assessment and a focus on supply chain and third-party entities.
  • Design Control. The JSP describes various design security controls, including system hardening standards, vulnerability scanning, secure coding standards, patch management requirements, and security testing.  It also discusses adhering to customer information security policies, monitoring for vulnerabilities, ensuring password security, and documenting security information for customers.
  • Complaint Handling and Reporting. The JSP emphasizes that “[g]athering feedback on the cybersecurity performance of [] products post product launch is important for vendors.”  The Plan discusses systems for escalating customer complaints and properly investigating them and reporting them to stakeholders, including Cyber Emergency Response Teams and information sharing and analysis organizations (ISAOs).  It also covers ongoing monitoring and vulnerability / patch management as well as decommissioning or end-of-life considerations.
  • Finally, the JSP discusses the importance of evaluating progress and maturity over time.

It remains to be seen how stakeholders in the healthcare community will utilize frameworks like the JSP going forward.  The Plan is designed to be a living document that may be updated over time.  The framework has the potential to be significant for the medical device and health IT industry, particularly if it comes to be accepted as a reference point for industry best-practices.

Kate Heinzelman

kheinzelman@sidley.com

Nancy K. Stade

nstade@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).