- Three national organizations recently signed a Memorandum of Understanding (MOU) in an effort to improve medical device cybersecurity measures.
The National Health Information Sharing and Analysis Center (NH-ISAC), the Medical Device Innovation, Safety and Security Consortium (MDISS), and the U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) announced that the signed MOU is designed to help achieve a set of goals in combatting cybersecurity threats.
“We have been collaborating with both MDISS and the FDA for a period of time now and it is rewarding to have this memorandum of understanding in place, which formally outlines our collaboration goals”, NH-ISAC President Denise Anderson said in a statement. “We look forward to bringing the medical device security community together on several critical issues through our joint efforts.”
The MOU will help create an environment that fosters stakeholder collaboration and communication, the announcement explains. Furthermore, it is meant to encourage information sharing between organizations. Entities should be made aware of vulnerabilities “that may affect the safety, effectiveness and security of the medical devices, and/or the integrity and security of the surrounding healthcare IT infrastructure.”
Second, the agreement wants to help organizations develop better awareness of the Framework for Improving Critical Infrastructure Cybersecurity. Stakeholders must also understand how to best adopt the framework to meet their operational needs.
Third, industry stakeholders need to understand how to “develop innovative strategies to assess and mitigate cybersecurity vulnerabilities that affect their products,” NH-ISAC explained in its statement.
Finally, the MOU hopes to “build a foundation of trust within the HPH community so that all healthcare technology and medical device stakeholders can directly benefit from the sharing of cybersecurity vulnerability- and/or threat information identified within the HPH Sector, as well as intelligence feeds from other Critical Infrastructure Sectors that may secondarily affect healthcare and the public health.”
Helping healthcare organizations improve their cybersecurity threat identification, mitigation, and prevention efforts is becoming an increasingly popular goal of many agencies.
Earlier this year, the Department of Health and Human Services awarded corporate agreements to fight against healthcare cybersecurity threats and improve information sharing.
HHS awarded a total of $350,000 in corporate agreements, and explained that smaller healthcare entities often do not have the same access to methods to prevent or respond to cybersecurity attacks. However, “a streamlined cyber threat information sharing process” will help HHS send cyber threat data to a single entity, and that organization can then share the information with stakeholders.
“The agreements also will help build the capacity of NH-ISAC to receive cyber threat information from member healthcare entities,” HHS stated. “Information about any system breaches and ransomware attacks will be relayed through a more robust cyber information sharing environment, as will information about steps healthcare entities should take to protect their health information technology systems.”
The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) also commented on the FDA’s “Post-market Management of Cybersecurity in Medical Devices” draft, which was released in January 2016.
CHIME and AEHIS recommended that medical device security could be improved with a more standardized set of cybersecurity frameworks, especially in the pre-marketing stage for medical devices.