HSCC Publishes Medical Device Vulnerability Communications Toolkit

April 28, 2022 - Medical device vulnerabilities are a growing concern in healthcare, as exemplified by recent vulnerability disclosures that could allow hackers to control systems remotely. However, most vulnerability disclosures are targeted at cybersecurity and information technology professionals, making it difficult for other healthcare stakeholders to inform patients of risk.

To combat this issue, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) released its “MedTech Vulnerability Communications Toolkit.”

HSCC built upon the Food and Drug Administration’s (FDA) best practices guide for communicating medical device vulnerabilities to patients and caregivers, which the administration released in October 2021.

The FDA’s guide emphasized the importance of using straightforward terminology to educate patients on medical device security risks.

“Whenever feasible, communicate with patients and caregivers as early as possible, especially if the cybersecurity vulnerability may present a risk to patient safety,” the document explained.

“Early access to serious cybersecurity vulnerability information may provide assurance to patients and empower them to take early action to avoid any potentially harmful consequences to their health. Furthermore, early access to this information may also help build trust with patients and the public.”

HSCC’s toolkit echoed these sentiments and provided specific tools for medical device manufacturers (MDMs) and software developers to create cybersecurity vulnerability communications for their products.

To begin crafting a vulnerability communication, HSCC recommended that medical device manufacturers first identify which stakeholders need to know about the vulnerability and who is responsible for remediating the vulnerability.

For example, manufacturer-controlled apps that are not patient-facing require different communication tactics than devices for which patients are the primary users.

After determining the target audience, MDMs should draft the communication using concise and simple language. Simple bulletins should include an image and description of the device, software versions affected, model name and number, and any other information that could help the user identify the device.

In addition, MDMs should include contact information, actions to take, and best practices for cybersecurity. After drafting the notice, MDMs should partner with their communications teams to refine the language and format.

Along with an extensive glossary of common healthcare, security, and technology terms, HSCC provided a list of terms to avoid in vulnerability communications.

“When communicating to users and patients of connected healthcare technology, it is imperative to craft clear communications that are understandable to an audience with little or no knowledge of information technology or security,” HSCC noted.

“It is appropriate to use technical terms when communicating to security and IT professionals, whose responsibilities include identifying security threats and implementing recommended countermeasures. You should always consider that specific terms may not be relevant to the layperson, even if that person needs to perform specific actions to reduce security risks from successful exploitation.”

Generally, MDMs should avoid using terms related to specific hardware components that are not commonly known. In addition, abbreviations such as HIPAA, CVS, and CVSS should be spelled out. Terms like virtual private network, encryption key, least privilege, and pharming are too technical for general audiences.

HSCC said it plans to release future versions of this toolkit aimed at technically-inclined audiences.