Health Sector Council Released Cybersecurity Recommendations for Medical Devices and Health IT

On January 28, 2019, the Healthcare and Public Health Sector Coordinating Council released the “Medical Device and Health IT Joint Security Plan” (“JSP” or “Plan”)—cybersecurity recommendations for medical device manufacturers, healthcare information technology vendors, and healthcare providers.  U.S. Government entities, including the FDA, participated in the development of the Plan.   The JSP comes close on the heels of the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a similar effort by a public-private partnership to provide cybersecurity guidance to healthcare industry stakeholders.

The JSP is an outgrowth of the work of the Health Care Industry Cybersecurity Task Force, a body Congress established in the Cybersecurity Act of 2015 to identify cybersecurity challenges facing the healthcare industry.  The Task Force’s 2017 report identified a need to “[i]ncrease the security and resilience of medical devices and health IT.”  The JSP is an effort to respond to that call.  The Healthcare & Public Health Sector Coordinating Council, which released the JSP, is a public private partnership organized to partner with governmental entities pursuant to Presidential Policy Directive 21.

The JSP is a “consensus-based total product lifecycle reference guide”—and “not a regulatory document” or a “standard.”  The Plan is intended to cover all stages of medical technology development and deployment, from design and development, to handling product complaints, to managing ongoing security risks, and assessing and improving the maturity of a product cybersecurity program.

The JSP framework includes the following primary components:

  • Risk Management. The JSP explains that “risk assessment is an integral component of overall product risk management.”  It recommends that entities (including manufacturers, vendors, and customers) maintain “risk registers” to “report on efforts across the framework activities, track remediation, and map new known vulnerabilities or potential risks.”  The JSP also recommends a cybersecurity management plan to track “how cybersecurity will be managed throughout the product lifecycle.”  Other recommended components of risk management include product security risk assessment and a focus on supply chain and third-party entities.
  • Design Control. The JSP describes various design security controls, including system hardening standards, vulnerability scanning, secure coding standards, patch management requirements, and security testing.  It also discusses adhering to customer information security policies, monitoring for vulnerabilities, ensuring password security, and documenting security information for customers.
  • Complaint Handling and Reporting. The JSP emphasizes that “[g]athering feedback on the cybersecurity performance of [] products post product launch is important for vendors.”  The Plan discusses systems for escalating customer complaints and properly investigating them and reporting them to stakeholders, including Cyber Emergency Response Teams and information sharing and analysis organizations (ISAOs).  It also covers ongoing monitoring and vulnerability / patch management as well as decommissioning or end-of-life considerations.
  • Finally, the JSP discusses the importance of evaluating progress and maturity over time.

It remains to be seen how stakeholders in the healthcare community will utilize frameworks like the JSP going forward.  The Plan is designed to be a living document that may be updated over time.  The framework has the potential to be significant for the medical device and health IT industry, particularly if it comes to be accepted as a reference point for industry best-practices.