A New Effort to Draft Medical Device Cybersecurity GuidanceCouncil Leader Greg Garcia Describes Massive Collaborative Project
An advisory group that includes a diverse array of members will spend the coming months devising detailed guidance on how to address the "shared responsibility" of medical device cybersecurity.
Greg Garcia, who heads the cybersecurity efforts of the Healthcare and Public Health Sector Coordinating Council, explains that the group is collaborating with the Department of Health and Human Services and Department of Homeland Security to identify and mitigate threats and vulnerabilities facing the healthcare sector.
"We have a task group which is co-chaired by a device maker and a hospital - both stakeholders in this process," Garcia says in an interview with Information Security Media Group. The task group, which includes representatives of about 35 organizations, is working on a joint strategic plan "that recognizes that medical device cybersecurity is a shared challenge and therefore a shared responsibility."
The group "is looking at what are good practices for device makers to design and build good security into their devices and manage patching, and how to deal with end-of-life products and support," he explains. It also is determining the responsibilities of hospitals and users "to manage those devices in a secure way."
The Food and Drug Administration is participating in this ongoing effort to develop voluntary guidelines for medical device cybersecurity, Garcia says.
"Everyone recognizes that if we as an industry can step up to manage security in a way that is evolving along with the threats, and evolving along with technological innovation, that's a better alternative to regulation," he says.
The task group's upcoming guidance - which will likely be released sometime next year - "will represent the best thinking of major stakeholders in the industry ... from the provider side and device maker side and government side, as well," Garcia says.
In the interview (see audio link below photo), Garcia also discusses:
- How the coordinating council and its subgroups are tackling the cybersecurity recommendations in a report issued last June by the now disbanded HHS Cyber Task Force;
- Cyber information sharing efforts in the healthcare sector;
- Ransomware and other top cyber threats;
- Lessons the healthcare sector can learn from the Russian hacker interference in the 2016 U.S. presidential election.
Garcia is executive director of the Joint Cybersecurity Working Group of the Healthcare and Public Health Sector Coordinating Council, which brings together the many subsectors of the healthcare industry, in collaboration with the government, to develop and implement ways to strengthen the sector's security and resiliency against cyber and physical threats. Previously, Garcia was the nation's first assistant secretary for cybersecurity and communications at the Department of Homeland Security. After DHS, he created and led Bank of America's external partnership strategy for cybersecurity and identity management and then headed the Financial Services Sector Coordinating Council.