While many providers assume that it’s the facility’s internal infrastructure that fosters data breaches, the problem frequently lies with the device itself. Currently, the FDA has no federal mandate outlining required device cybersecurity protections.
As a result, both legacy and newly introduced medical equipment can pose a significant (and potentially unknown) threat to healthcare facilities for an indefinite amount of time.
Fortunately, a government-supported coalition of hospitals and healthcare device manufacturers have joined forces in an attempt to standardize the security testing process for new medical equipment and ultimately reduce the risk of a data breach.
On Monday, January 28, 2019, the appointed advisory group known as the Healthcare and Public Health Sector Coordinating Council (HSCC) released a new, voluntary Joint Security Plan (JSP) framework explicitly designed to boost overall cybersecurity of healthcare apparatus throughout their lifecycles.
Within its 53 pages, the recently released guidelines showcased several recommendations, including:
Both healthcare organizations and medical device manufacturers must outline governance benchmarks, defining specific goals, tasks, and requirements. Stakeholders must also develop a standardized training program for personnel to promote a culture of cybersecurity expertise and consistent reevaluation of potential threats.
Risk assessment plays a critical role in maintaining network security and supporting patient safety during every level of the device lifecycle.
The HSCC suggests that both healthcare systems and medical device manufacturers develop a process to register and track potential risks as well as final resolutions, aggregating data from various sources including pen testing, detailed threat assessments, and vendor disclosures.
Additionally, the framework also suggests the process should include maintaining an updated product inventory that details all device services, solutions, and versions.
The HSCC highlighted the need for design controls across both procedures and policies to increase output consistency throughout the product development and software release phases.
The JSP framework offers design input requirements, recommendations, and standards as a benchmark for companies looking to define their own internal design control process.
According to the HSCC recommendations, both device manufacturers and providers should outline a patch management approach for medical devices.
For manufacturers, this means evaluating, implementing, and sustaining necessary system patching throughout product development as well as outlining prompt resolution of issues that arise with upgrades.
For healthcare providers, the patch management process includes ongoing assessment of various components such as potential cybersecurity events and risks based on their updated inventory list.
Importance of framework buy-in
It’s important to note that the JSP framework is a voluntary set of standards and practices that ultimately must be adopted by medical device manufacturers and certifying bodies in order to receive mainstream acceptance as well as optimize overall industry impact.
However, as a sound approach to the equipment procurement process, healthcare systems can use the framework as an assessment guide for potential medical device manufacturers when purchasing or replacing products.
Additionally, with support from the leadership and executive chain, hospitals and healthcare entities can feasibly integrate various components of the HSCC’s guidelines into their existing protocols to boost cybersecurity integrity and help minimize the threat of the weakest link in their supply chain.