HSCC Releases New Framework For Medical Device Security

Hospital room with multiple hospital beds

At Fortified Health Security, we’ve seen firsthand how the many cybersecurity threats plaguing United States medical devices can impact healthcare facilities and organizations on a national scale. Yes, speed-of-light technology advances have transformed healthcare practices, treatments, and service delivery, exponentially increasing the quality of patient care across virtually every medical specialty. However, the accelerated development of new equipment and its resulting increase in system connectivity has given rise to a rampant upswing in cyber attacks and data breaches that can quickly enervate even the most robust network security systems.

What to Know About New Medical Device Security

Lack Of Mandated Medical Device Protocol Increases Threat Of Cybersecurity Attacks

As dedicated specialists in healthcare network security and medical device security, the Fortified team has direct experience helping our partners navigate through the complex, multifaceted, and constantly changing landscape of connected medical device vulnerabilities. These vulnerabilities do more than put patient data at risk. Compromises in any of the countless critical care apparatus found in just a single hospital room can quickly put patient lives at risk.

While many providers assume that it’s the facility’s internal infrastructure that fosters data breaches, the problem frequently lies with the device itself. Currently, the FDA has no federal mandate outlining required device cybersecurity protections. As a result, both legacy and newly introduced medical equipment can pose a significant (and potentially unknown) threat to healthcare facilities for an indefinite amount of time.

Joint Security Plan Puts New Guidelines Around Testing Process

Fortunately, a government-supported coalition of hospitals and healthcare device manufacturers have joined forces in an attempt to standardize the security testing process for new medical equipment and ultimately reduce the risk of a data breach. On Monday, January 28, 2019, the appointed advisory group known as the Healthcare and Public Health Sector Coordinating Council (HSCC) released a new, voluntary Joint Security Plan (JSP) framework explicitly designed to boost overall cybersecurity of healthcare apparatus throughout their lifecycles. Within its 53 pages, the recently released guidelines showcased several recommendations, including:


Both healthcare organizations and medical device manufacturers must outline governance benchmarks, defining specific goals, tasks, and requirements. Stakeholders must also develop a standardized training program for personnel to promote a culture of cybersecurity expertise and consistent reevaluation of potential threats.

Risk Assessment

Risk assessment plays a critical role in maintaining network security and supporting patient safety during every level of the device lifecycle. The HSCC suggests that both healthcare systems and medical device manufacturers develop a process to register and track potential risks as well as final resolutions, aggregating data from various sources including pen testing, detailed threat assessments, and vendor disclosures. Additionally, the framework also suggests the process should include maintaining an updated product inventory that details all device services, solutions, and versions.

Design Control

The HSCC highlighted the need for design controls across both procedures and policies to increase output consistency throughout the product development and software release phases. The JSP framework offers design input requirements, recommendations, and standards as a benchmark for companies looking to define their own internal design control process.

Patch Management

According to the HSCC recommendations, both device manufacturers and providers should outline a patch management approach for medical devices. For manufacturers, this means evaluating, implementing, and sustaining necessary system patching throughout product development as well as outlining prompt resolution of issues that arise with upgrades. For healthcare providers, the patch management process includes ongoing assessment of various components such as potential cybersecurity events and risks based on their updated inventory list.

Framework Buy-In From Providers And Vendors Can Make A Difference

It’s important to note that the JSP framework is a voluntary set of standards and practices that ultimately must be adopted by medical device manufacturers and certifying bodies in order to receive mainstream acceptance as well as optimize overall industry impact. However, as a sound approach to the equipment procurement process, healthcare systems can use the framework as an assessment guide for potential medical device manufacturers when purchasing or replacing products. Additionally, with support from the leadership and executive chain, hospitals and healthcare entities can feasibly integrate various components of the HSCC’s guidelines into their existing protocols to boost cybersecurity integrity and help minimize the threat of the weakest link in their supply chain.

Want to hear more about how you can use the JSP Framework to secure medical devices at your healthcare facility? Contact Fortified Health Security today!