The Health Sector Coordinating Council, in partnership with HHS, released last month a set of recommendations for cyber security best practices for health providers.  The voluntary, consensus based “Health Industry Cybersecurity Practices (HICP)”, is the culmination of a year and a half of industry and government experts identifying the five most prevalent cyber threats and the ten best practices to deal with them.  It is scalable for small, medium and large organizations, and if implemented, should measurably reduce risk across the healthcare ecosystem.

Shortly after releasing the HICP resource, the HSCC released the Medical Device and Health IT Joint Security Plan (JSP), which is a consensus-based total product lifecycle reference guide for developing, deploying, and supporting cyber secure technology solutions in the healthcare environment.

More information:

Washington, D.C., January 28, 2019 – Today, the Healthcare and Public Health Sector Coordinating Council (HSCC) released new recommendations for manufacturing and managing the security of medical devices for clinical practice. Developed over the past year, the “Medical Device and Health IT Joint Security Plan (JSP)” is a total product lifecycle reference guide to developing, deploying and supporting cyber secure technology solutions in the health care environment.  This essential reference also will be discussed during the FDA’s January 28-29 workshop on medical device security in Silver Spring, MD.

The JSP utilizes “security by design” principles throughout the product lifecycle of medical devices and health IT solutions. It identifies the shared responsibility between industry stakeholders to harmonize security related standards, risk assessment methodologies & vulnerability reporting requirements to improve the information sharing between manufactures and healthcare organizations. The JSP will be a living document and will be updated as required to adapt to the ever-changing threat environment for medical devices and health IT solutions.

“We are proud of partnerships and alliances that demonstrate the far-reaching potential of collaboration across the public and private sector,” said Suzanne Schwartz, M.D., associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health. “Securing medical devices from cybersecurity threats cannot be achieved by the FDA on its own. That’s why the FDA has long been committed to working hard with various stakeholders like the HSCC to stay a step ahead of constantly evolving cybersecurity vulnerabilities. In this way,” Schwartz concluded, “we can help ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate.”

The JSP responds to a set of recommendations issued in June 2017 by the Health Care Industry Cybersecurity (HCIC) Task Force, which urged strong efforts toward increasing the security and resilience of medical devices and health IT.  The HCIC was established by the Department of Health and Human Services at the direction of the Cyber Security Act of 2015.

Kevin McDonald, director of clinical information security at the Mayo Clinic, and co-chair of the initiative said, “The goal of this effort was to align cybersecurity priorities and processes between medical device manufactures and healthcare providers to lower the cybersecurity risk in medical devices. By creating this alignment,” McDonald added, “we can strengthen the security of medical technology against cyber threats, improve cyber risk management within healthcare organizations, and better protect patient safety.”

“The medical device industry recognizes that, as patient care is increasingly provided across a networked and internet-connected environment, security in turn needs to keep pace with the technological innovation that is driving patient care,” said Rob Suarez, director of product security with Becton Dickinson and the other industry co-chair.  “The JSP provides a scalable security roadmap for large and small manufacturers, and the customers they serve.”

By adding the JSP to last month’s release of the Health Industry Cybersecurity Practices (HICP) resource (https://healthsectorcouncil.org/hhs-and-hscc-release-voluntary-cybersecurity-practices-for-the-health-industry/), the HSCC is throwing a one-two punch at the sector’s cybersecurity challenges.  With broad adoption of these tools, we are confident the sector will demonstrate measurable improvement to healthcare cybersecurity risk management in the coming months and years.

###

About the HSCC

The HSCC is an industry-driven public private partnership of healthcare companies and providers developing collaborative solutions to mitigate threats to critical healthcare infrastructure.  It is one of 16 critical infrastructure sectors organized to partner with the government under Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience.  The JSP task group was co-chaired by Becton Dickinson, Mayo Clinic and the FDA under the auspices of the HSCC Joint Cybersecurity Working Group, which includes more than 200 medical device and health IT companies, direct patient care entities, plans and payers, labs, blood and pharmaceutical companies.

For more information about the HSCC Joint Cybersecurity Working Group visit www.HealthSector.Council.org

HSCC MEDTECH JSP Infographic
JSP FAQ Final
HSCC MEDTECH JSP v1