Dive Brief:

• The Healthcare and Public Health Sector Coordinating Council (HSCC), a public-private collaboration, published a 53-page report this week with recommendations for managing the cybersecurity of medical devices in clinical practice.
• Called the Medical Device and Health IT Joint Security Plan (JSP), the document emphasizes that aligning security standards and risk assessments, as well as reporting vulnerabilities, are shared responsibilities of manufacturers and healthcare organizations.
• BD, Mayo Clinic and FDA co-chaired the task group that crafted the recommendations. “Our primary ask of organizations is to make a commitment to implementing the JSP, as it is expected that patient safety will be positively impacted as a result,” the report states.

Dive Insight:

Cybersecurity remains at the forefront of regulatory efforts in medical technology and health IT. FDA is considering requiring device makers to submit a software bill of materials as part of premarket submissions. The agency has also hinted that more action may be coming to require companies to adopt procedures for coordinated disclosure of vulnerabilities as they are identified.

Last year, FDA released its Medical Device Safety Action Plan and draft guidance on cybersecurity considerations for premarket submissions. FDA also formalized a partnership with the Department of Homeland Security.

The JSP initiative grew out of a 2017 effort by the Health Care Industry Cybersecurity (HCIC) Task Force to strengthen the cybersecurity of medical devices and health IT. The HCIC was established by HHS under the Cyber Security Act of 2015 to identify the challenges facing the healthcare industry in protecting itself against cybersecurity threats.

The JSP document is intended to serve as a reference guide for developing, deploying and supporting secure healthcare technology over a product’s total lifecycle. The voluntary plan covers:

• Cybersecurity practices for designing medtech products.
• Handling product complaints related to cybersecurity incidents and vulnerabilities.
• Managing risk throughout the product lifecycle.
• Assessing the maturity of a product cybersecurity program.

HSCC, which released the report, is a public-private partnership whose Joint Cybersecurity Working Group includes more than 200 medical device and health IT companies, healthcare providers, plans and payers, labs and pharma companies.

Suzanne Schwartz, associate director for science and strategic partnerships at FDA’s Center for Devices and Radiological Health, said FDA is working with stakeholders such as HSCC because the agency recognizes that it can't secure medical devices from cybersecurity threats on its own. The aim is to ensure the healthcare sector can proactively respond when cyber vulnerabilities are identified in products, Schwartz said in a press release.

FDA is also in the midst of a two-day public workshop regarding content of premarket submissions for cybersecurity management in medical devices.

At future events – like @Defcon – we encourage manufacturers to increase engagement with the cyber research community through device demos and our #wehearthackers event. This demonstrates a company’s commitment to cyber principles: Trustworthiness. Transparency. Resilience.

— Scott Gottlieb, M.D. (@SGottliebFDA) January 29, 2019