MDIC, HSCC Team Up to Establish Medical Device Security Benchmarks

June 02, 2022 - The Medical Device Innovation Consortium (MDIC) and the Healthcare and Public Health Sector Coordinating Council (HSCC), in partnership with Booz Allen Hamilton, created a new survey with the goal of establishing medical device security benchmarks.

Medical device security continues to be a pain point for healthcare organizations, regulators, and manufacturers. The sheer number of devices on an organization’s network at any given time, along with the prevalence of legacy devices and a lack of industry-wide standards, have posed significant security challenges.

Over the years, there has been a lot of finger-pointing and confusion surrounding roles and responsibilities for medical device security.

“There was no mutual understanding about shared responsibility between device manufacturers, hospital systems, and healthcare providers,” Greg Garcia, executive director for cybersecurity at HSCC, explained in an interview with HealthITSecurity.

“We quickly recognized that as a sector, we needed to be doing something about this rather than just staying in our corners.”

In an effort to address these concerns and promote shared responsibility for medical device security across the industry, the HSCC Joint Cybersecurity Working Group (JCWG) issued the Joint Security Plan (JSP) in 2019. The JSP is essentially a product lifecycle reference guide to developing, deploying, and supporting secure medical devices and health IT products and solutions.

“The JSP is expected to evolve over time and the HSCC intends to establish a governance model to ensure the baseline strategy is updated based on execution of existing plans or new needs identified by members of the stakeholder community,” the 2019 document stated.

The new 44-question survey, based on the JSP, intends to deliver on that statement. The survey serves as a self-assessment tool for medical device manufacturers, helping them identify their own medical device security maturity in areas like risk management, design control, structure, and governance. Use of the JSP is not required for survey participation, and companies using other maturity models can also gain valuable insights from the survey results.

Along with measuring the successes and shortcomings of the JSP, the survey will provide much-needed benchmark data on medical device security maturity. MDIC and HSCC are seeking one survey response per company or organization, and all responses are confidential.

“When manufacturers contribute to the survey, they will get a score that will help them to assess their posture in the sector,” Jithesh Veetil, program director at MDIC, explained in an interview with HealthITSecurity.

“And the learning, in turn, will help the industry, and also help us help the Public Health Sector Coordinating Council to update the JSP framework.”

Senior-level product security officers, risk managers, and quality managers were encouraged to complete the survey based on their working knowledge of their organization’s security posture and product portfolio.

“Cybersecurity risk is also a potential patient safety risk. It's about protecting patient safety. It's about protecting patient privacy,” Rob Suárez, CISO at BD and chair of the MDIC cybersecurity working group, told HealthITSecurity.

“That is really the reason why we want to give medical device cybersecurity this level of attention.”