- The Healthcare and Public Health Sector Coordinating Council (HSCC) released its medical device guidance on Monday, to help vendors, providers, and other stakeholders secure these devices throughout the product lifecycle.
HCSS is a private-public workgroup with members from the Food and Drug Administration, Cerner, the Mayo Clinic, Department of Homeland Security, and security researchers, among others. Established in 1998 and updated in 2013, DHS oversees HSCC. It's one of 16 critical industry sector councils established under a White House executive order.
The voluntary guidance is meant to help medical device manufacturers, health IT vendors, providers, and other stakeholders enhance device security. It was released ahead of the FDA’s January 29 public workshop around medical device cybersecurity.
“It’s important for medical device manufacturers and health IT vendors… to consider the joint security plan (JSP) voluntary framework and its associated plans and templates throughout the lifecycle of medical devices and health IT because doing so is expected to result in better security and thus better products for patients,” the group wrote.
Both vendors and organizations struggle with integrating device security into existing processes, the group explained. Often, it’s caused by organizations “not recognizing the importance, not knowing where to start, and insufficient resources.”
“The components in the JSP framework are used to help create security policy and procedures that align and integrate into existing processes,” the group explained. “Our primary ask of organizations is to make a commitment to implementing the JSP as it is expected that patient safety will be positively impacted as a result.”
To start, organizations must define its governance process, including roles and responsibilities and personnel training. This can also include strategic decisions, establishing goals, and tracking the maturity of device security against the framework.
Training should include the “incorporation of cybersecurity expertise,” through a routine training program or periodic reassessment.
“In addition to organizational leadership, various members of the organization have a shared responsibility for product security and thus benefit from the implementation of the JSP,” the group wrote.
Further, adoption should be driven by mapping cybersecurity activities and processes into existing processes, while reducing redundant processes. Not only that, but vendors should share the maturity evaluation with its customers and HSCC, to bolster future frameworks.
At all levels of the medical device lifecycle, risk assessments are crucial to ensuring patient safety. HSCC recommended both vendors and health providers build a risk register or risk log that tracks remediation and framework activities and maps known vulnerabilities or known risks.
For vendors, the register should be populated from product portfolio management and cybersecurity management plans. HSCC recommendation their customers create similar registers that are based on risk documentation from within the organization and vendor vulnerability disclosures.
The cybersecurity management plan should begin at the concept phase and will establish how cybersecurity will be maintain on the device throughout its lifecycle. It should include things like reports from product risk assessments, pen testing, vulnerability scanning, and the like, HSCC explained.
HSCC also noted that risk assessments should include a product inventory that documents and maintains a list of all software-enabled products, versions, solutions, and commercially available services.
“The objective of risk assessment for known vulnerabilities or potential cybersecurity risks is to determine the comprehensive impact, for example, to clinical safety, business operations, intellectual property, patient privacy, contractual requirements, regulation, and law,” the group wrote.
“The risk assessment will also enable the risks and vulnerabilities to be prioritized for response,” they added.
HSCC also outlined the need for design controls of policies and procedures to “ensure that product design inputs are met so that correct requirements can be developed.”
“For cybersecurity, organizations apply applicable standards and testing to software code during product development as well as during each software release,” the group wrote. “These design control principles also applied to components provided by third-parties that are used in finished products.”
The group made recommendations around design input requirements, including system hardening standards and vulnerability scanning, and software requirements, secure coding standards, and code analysis.
Vendors should routinely identify, apply, and maintain system-patching throughout the product development process for products and components, and consider remediation planning within a reasonable timeframe that includes product and component upgrade.
“The deployment and application of patches will have a defined time of disruption to system operation and minimal impact on availability for patient care,” the group wrote.
But for providers, patch management should also be a priority despite many that often struggle with understanding how to patch and when. As seen with the 2017 global WannaCry attack, failing to patch can severely damage IT systems and cripple the ability to provide patient care.
Providers must “continuously monitor, track, and plan for cybersecurity incidents, vulnerabilities, upstream patches, and end of support dates from predefined sources based on the inventory of firmware, software, communication modules, etc…”
“Products and components (including those contracted components provided by third-party entities) may also be a source of vulnerabilities and should similarly be subject to monitoring,” the group wrote.
Further, providers must determine the level of risk and required actions, “by using product risk assessment, remediation planning and product security risk assessment.”
“In particular, document cybersecurity risks in defect, bug, or issue tracking systems or product backlog, in addition to design history files and/or risk management files,” the group wrote. “Validate the remediation and successful patching of vulnerabilities, including impact to performance and clinical use.”
Designed for organizations of all sizes, HSCC said it hopes the guidance will “inspire organizations to raise the bar for product cybersecurity posture.”
“The HSCC believes that, because medical technology is integral to patient safety and clinical operations, product cybersecurity in medical technology is a shared responsibility among healthcare stakeholders,” the group wrote.
“Moreover, more secure products result in higher quality products which positively impact public health,” they added. “The core of this framework aligns to traditional quality system concepts. Design controls, risk management, design requirements, testing and post market management can be aligned with multiple software development methodologies.”
The recommendations also include methods to safely apply both routine and emergency patches, along with how to deal with medical devices at the end of lifecycle. The complete medical device guidance can be found here. The FDA will be working on improving its 2016 cybersecurity guidance around medical devices with the information obtained from this month’s two-day workshop.