New Medical Device Cybersecurity Framework UnveiledRecommends Vendors Address Issues Throughout Product Lifecycle
The framework recommends, for example, that in the product concept development phase, manufacturers should establish how cybersecurity will be managed throughout the device's lifecycle. It also recommends that these companies provide a bill of materials listing third-party software contained in their products, plus provide a mechanism for obtaining feedback about devices - including reports about vulnerabilities - and then issuing plans to remediate those problems.
Organizations using medical devices should take a number of steps, according to the framework, including: Assess the risk of new devices entering their facilities; manage risks over the lifecycle of these systems, including monitoring of vulnerability disclosures; maintain patches; and provide training for their workforce on their roles for managing cybersecurity.
"The most significant aspect of the [framework] is that it emphasizes security is an aspect of the whole design, development, qualification and launch processes that a device goes through," Kevin McDonald, director of clinical information security at the Mayo Clinic, and co-chair of the Joint Security Plan initiative, tells Information Security Media Group.
The framework's focus on the lifecycle of medical devices is critical, he stresses. "By doing this, it is taking steps to ensure that we have 'secure by design' product that is easier to maintain throughout the product lifecycle."
Many Organizations Involved
The Medical Device and Health IT Joint Security Plan was developed over the last year by the Healthcare and Public Health Sector Coordinating Council, or HSCC - one of 16 critical infrastructure councils that partners with the government.
The framework also builds upon recommendations contained in a June 2017 report by the Healthcare Industry Cybersecurity Task Force, which urged voluntary measures to improve the security and resilience of medical devices and health IT. That task force was established by the Department of Health and Human Services at the direction of the Cybersecurity Information Sharing Act of 2015.
More than 80 organizations - ranging from healthcare providers to technology vendors, industry associations, and government agencies, provided input on the document.
"I believe the biggest win for healthcare delivery organizations will be the increased transparency and information on the security posture of devices."
—Kevin McDonald, Mayo Clinic
"What is compelling about this effort is the number of organizations that participated in its development, including medical device companies, electronic health records companies and hospital systems and their associations," Greg Garcia, HSCC executive director, tells ISMG.
"Moreover, the JSP [Joint Security Plan], when coupled with ... the Health Industry Cybersecurity Practices, demonstrates cross-sector unity around the shared responsibility of cybersecurity in healthcare," he adds, referring to a four-volume publication of voluntary cybersecurity best practices released in January by the Department of Health and Human Services and HSCC (see: HHS Publishes Guide to Cybersecurity Best Practices).
The Joint Security Plan document identifies the "shared responsibility between industry stakeholders to harmonize security related standards, risk assessment methodologies and vulnerability reporting requirements to improve the information sharing between manufactures and healthcare organizations," HSCC says.
The framework is a "total lifecycle reference guide" ranging from manufacturing to managing the security of medical devices in clinical practices, HSCC says in a statement.
The Joint Security Plan is a "living document" that will be updated as needed to adapt to the evolving threat environment for medical devices and health IT solutions, HSCC says.
"We ... believe that medical device and health IT companies recognize that they are essential contributors to critical healthcare infrastructure and that they accordingly have a responsibility to ensure the security of their devices and support patient safety," Garcia tells ISMG.
"The fact is, many of the larger manufacturers are already deploying product security programs similar to this, so the focus should be on those smaller and mid-sized companies that have been less aware and have less resources but are nevertheless important parts of the supply chain."
The framework aims to underline the importance of the healthcare sector taking steps to improve medical device cybersecurity, including areas that are currently deficient in the development of new products, Mayo's McDonald says.
"The parts of the framework that are often not given enough attention [by the healthcare sector today] are security requirements and design," he says. "The framework gives some good examples of design inputs that are based on industry standards and security best practice."
A 'Reference Guide'
The Joint Security Plan is not a regulatory document nor a standard. "Rather the JSP may be leveraged across an organization's product portfolio and is intended to be globally applicable," the document notes.
"The recommendations provided in the JSP are intended to help organizations of various size and stages of maturity to enhance their product cybersecurity posture by addressing key cybersecurity challenges."
The framework is "a total product lifecycle reference guide" to developing, deploying and supporting cyber secure technology solutions in the healthcare environment, the document notes. It makes recommendations for how to:
- Use cybersecurity practices in design and development of medical technology products;
- Handle product complaints relating to cybersecurity incidents and vulnerabilities;
- Manage security risk throughout the lifecycle of medical technology;
- Assess the maturity of a product cybersecurity program, based on a "capability maturity model index."
Putting Framework to Use
MacDonald says his organization is already using recommendations spotlighted in the framework.
"At Mayo Clinic we have implemented many of the practices that pertain to healthcare delivery organizations," he says.
If device manufacturers implement the framework's recommendations, that would help healthcare providers in their efforts to bolster the cybersecurity of products used in their organizations, he says.
"I believe the biggest win for healthcare delivery organizations will be the increased transparency and information on the security posture of devices. Things such as the 'software bill of materials' and the customer security documentation will help everyone assess risk."
A bill of materials includes a list of third-party software - including version numbers - contained in devices.
The recommendations of the Joint Security Plan, especially those focused on manufacturers building cybersecurity into the life cycle of their products, echo the recommendations of the Food and Drug Administration in its recently updated draft pre-market cybersecurity guidance for medical devices (see: FDA Calls for Cybersecurity Bill of Materials for Devices).
"We are proud of partnerships and alliances that demonstrate the far-reaching potential of collaboration across the public and private sector," says Suzanne Schwartz, M.D., associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.
"Securing medical devices from cybersecurity threats cannot be achieved by the FDA on its own. That's why the FDA has long been committed to working hard with various stakeholders like the HSCC to stay a step ahead of constantly evolving cybersecurity vulnerabilities," Schwartz says.
Connecting the Dots
The new HSCC framework builds upon the recommendations of the HHS cyber task force, notes former healthcare CIO David Finn, executive vice president of security consultancy CynergisTek, and a member of that HHS panel.
"This framework begins to connect the dots around securely deploying [device] technologies. It isn't just the device makers ... Just as it is a shared responsibility to acquire, deploy and use these technologies and devices, it will be a shared responsibility to protect them - and the patients and their data that are also part of this continuum," he says. "This framework starts with governance of these processes and steps you through all the processes using a life-cycle model and focused on continuous improvement. Not everything will get fixed at one time, but you must start."
Although the framework is good start, following it's recommendations won't solve all the medical device cybersecurity issues, he notes.
"I am very happy to see the industry addressing this massive issue, but we have to remember that this is really a two-fold problem. There are the new things coming down the line and we can very quickly implement - better acquisition processes and policies, better installation, deployment and updating processes all the way through to data destruction and end-of-life processes for medical devices. There are still the millions of legacy devices already out there, deployed across thousands of providers."