On Monday, a healthcare sector advisory council released a new framework for improving the cybersecurity of medical devices throughout their lifecycle.
The framework acclaims, that during the product concept development phase, manufacturers should establish how cybersecurity will be managed throughout the device’s lifecycle. In addition, it recommends that such companies should provide a bill of materials listing third-party software contained in their products, provide a mechanism for obtaining feedback about devices and then issuing plans to remediate those problems.
Organizations using medical devices should take precaution, according to the framework, you should assess the risk of new devices entering their facilities; manage risks over the lifecycle of these systems, including monitoring of vulnerability disclosures; and provide training for their workforce on their roles for managing cybersecurity.
An important aspect of this framework is that it emphasizes security is an aspect of the whole design, development, qualification and launch processes that a device goes through.
The framework’s focus on the lifecycle of medical devices is critical, he stresses. “By doing this, it is taking steps to ensure that we have ‘secure by design’ product that is easier to maintain throughout the product lifecycle.”
Many Organizations Involved
The Medical Device and Health IT Joint Security Plan was developed over the last year by the Healthcare and Public Health Sector Coordinating Council.
The framework was built upon recommendations contained in a June 2017 report by the Healthcare Industry Cybersecruity Task Force, which pushed for voluntary measures to improve the security and resilience of medical devices and health IT.
Several organizations ranging from healthcare providers to technology vendors, industry associations, and government agencies, provided input on the framework.
The framework is a total lifecycle reference guide ranging from manufacturing to managing the security of medical devices in clinical practices
The matter is, many of the larger manufacturers are already deploying product security programs similar to this; therefore, the focus should be on those smaller and mid-sized companies that have been less aware and have less resources but are nevertheless important parts of the supply chain.
The purpose of the framework is to underline the importance of the healthcare sector taking steps to improve medical device cybersecurity, including areas that are currently deficient in the development of new products.
Connecting the Dots
The new Healthcare and Public Health Sector Coordinating Council framework builds upon suggestions of the HHS cyber task force.
The issue isn’t with only securing deployment of these technologies, or the the device makers … it will be a shared responsibility to protect them – and the patients and their data that are also part of this sequence. This framework starts with governance of these processes and steps you through all the processes using a life-cycle model and focused on continuous improvement.