- Medical device cybersecurity education, best practices, advocacy, and information sharing are key objectives in the recently announced collaboration between the Association for Executives in Healthcare Information Security (AEHIS) and the Medical Device Innovation, Safety and Security Consortium (MDISS).
AEHIS Collaborative Relationships Committee Chair and Premera Blue Cross Vice President and CISO Sean Murphy said AEHIS has evolved into top healthcare leaders working to overcome top industry issues.
“To that point, MDISS has also been a strong consortium of people working together on healthcare information security, specifically with respect to medical devices,” Murphy said in a statement. ”Together, AEHIS and MDISS joining forces to advocate and advance better medical device security will benefit AEHIS members and MDISS stakeholders alike. Our collective voice will be powerful in improving healthcare information security practices and making patients safer.”
The two agencies plan to provide medical device cybersecurity strategy training, including a possible course for members and other individuals.
It will also be important to develop and share best practices for medical device cybersecurity protection, according to an AEHIS statement. Those best practices can also be tested and improved, helping to develop a shared understanding of cybersecurity vulnerabilities.
AEHIS and MDISS will also work to develop the following:
- Foster use of the National Institute of Standards and Technology’s cybersecurity framework;
- Identify best practices for detecting and mitigating cybersecurity vulnerabilities with medical devices;
- Educate and increase awareness of medical device cybersecurity issues among federal policymakers;
- Determine best practices to engage members in advocacy for cyber protection of medical devices; and
- Examine the barriers and burdens of sharing cybersecurity and medical device vulnerability information and the opportunities to support information sharing through existing or modified information sharing efforts.
MDISS Executive Director Dale Nordenberg explained that the partnership is an exciting move forward.
“The scale and reach of AEHIS’ education network is a perfect complement to MDISS’ continuous release of envelope-pushing technologies and best practices,” Nordenberg said in a statement. “AEHIS will play a key role in accelerating the adoption of next-generation medical device security assessment platforms like MDRAP.”
MDISS made a similar move in November 2016 to help improve medical device cybersecurity measures. The agency signed a Memorandum of Understanding (MOU) with NH-ISAC and the U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) to help achieve a set of goals in combatting cybersecurity threats.
“We have been collaborating with both MDISS and the FDA for a period of time now and it is rewarding to have this memorandum of understanding in place, which formally outlines our collaboration goals”, NH-ISAC President Denise Anderson said in a statement. “We look forward to bringing the medical device security community together on several critical issues through our joint efforts.”
A productive environment will foster stakeholder collaboration and communication, the MOU added, and there must be information sharing between organizations. Vulnerabilities “that may affect the safety, effectiveness and security of the medical devices, and/or the integrity and security of the surrounding healthcare IT infrastructure” should be brought to entities’ attention.
Medical device cybersecurity has also been an increasing concern for the government, with lawmakers proposing legislation to clarify device security enhancement expectations and improve remote access protections.
Connecticut Senator Richard Blumenthal introduced medical device cybersecurity legislation in March 2017, saying patient information must be properly protected and that connected devices need stronger cybersecurity measures.
“The security of medical devices is in critical condition,” Blumenthal said in a statement. “My bill will strengthen the entire health care network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”