- The Healthcare and Public Health Sector Coordinating Council (HPH SCC) soon plans to release voluntary cybersecurity best practices for medical device manufacturers and healthcare providers, the groups announced Oct. 1 on the kickoff of national cybersecurity awareness month.
The development of cybersecurity best practices grew out of the Cybersecurity Act of 2015, which directed the setting up of a Healthcare Industry Cybersecurity Task Force and the development of voluntary best practices to improve cybersecurity in the healthcare industry.
In 2017, the task force submitted a report to Congress detailing ways the healthcare sector could increase the security and resilience of medical devices and health IT, including EHRs. Areas that the task force touched upon included legacy operating systems, secure development lifecycle, strong authentication, and strategic and architectural approaches to product deployment, management, and maintenance on hospital networks.
In addition, HPH SCC said in its Oct. 1 announcement that it intends to unveil a voluntary curriculum that can be used by medical schools to train clinicians in secure use of IT, EHRs, and medical devices.
HPH SCC explained that there is momentum within the US administration and Congress to address cybersecurity threats, including healthcare. This is evidenced by:
- The National Cyber Strategy released in September, which said the federal government will work with the private sector to manage risks to critical infrastructure sectors, such as healthcare
- House passage of the reauthorization of the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2018 (HR 6378), which includes cybersecurity provisions and requires HHS to submit to Congress a strategy for public health preparedness and response to address cybersecurity threats
- A planned joint table-top exercise with HHS to respond to a combined incident involving a pandemic flu and a cascading ransomware cyberattack.
“We recognize that patient safety has taken on a new dimension that demands our attention — the recognition that patient security requires cybersecurity. The health sector is now organized and working to fortify the industry’s immune system against a cyber epidemic that has become as infectious as a human epidemic,” HPH SCC stressed.
As pointed out in a HealthITSecurity.com feature earlier this year, vulnerable medical devices are a growing concern for the healthcare industry. For example, the WannaCry ransomware attack of last year targeted medical devices.
“Medical devices can serve as pivot points into a hospital. An adversary could attack a medical device and use that to get access to the rest of the hospital network,” warned MITRE IT and Cybersecurity Integrator Penny Chase.
Chase said that clinicians must weigh the small risks that these vulnerabilities pose to patients against the large benefits of delivering life-saving treatment with these devices.
Suzanne Schwartz, FDA associate director for science and strategic partnerships at the Center for Devices and Radiological Health, said that her agency’s main concern with medical devices is patient safety.
“From where we sit, our mission is in terms of protection and promotion of public health; our great concern is for the medical device’s ability to perform in the way that it is supposed to perform — what we call its intended use,” Schwartz observed.
“There are other risks associated with vulnerabilities in medical devices, such as a point of entry into a networked hospital to gain access to either PHI or PII that can be monetized by a cybercriminal,” she added.
The FDA’s focus on medical device security, both pre-market and post-market, is to identify regulatory incentives for industry to be proactive in the identification of vulnerabilities and fixing them quickly.
“We are concerned about the times when malware or ransomware attacks can affect the clinical operations of an entire healthcare organization by shutting down equipment. That is an area that certainly we’re paying very close attention to,” Schwartz said.
“The push has been towards being proactive as opposed to reactive. We have seen over the past few years some really substantial progress, and we are encouraged by what we’ve seen across the ecosystem with regard to manufacturers really being champions in certain areas, as well as working together with healthcare delivery organizations,” she concluded.