Connected medical devices, like all other computer systems, are vulnerable to threats that may lead to compromise of data confidentiality, integrity, and availability. To address these challenges, the Healthcare and Public Health Sector Coordinating Council (HSCC) Joint Cybersecurity Working Group recently issued the Medical Device and Health Information Technology (IT) Joint Security Plan (JSP).  This new voluntary program for medical device manufacturers (medical technology) and healthcare providers (health IT and delivery organizations) has been issued to further improve cybersecurity in our medical devices and healthcare infrastructure.
A framework for designing in safety
The HSCC Joint Cybersecurity Working Group (JCWG) is a standing working group of the HSCC composed of more than 200 industry and government organizations working together to develop strategies to address emerging and ongoing cybersecurity challenges to the health sector. The result of this collaboration is the newly issued JSP.
Of course, use of the JSP is encouraged and therefore the working group has expressly considered how the plan would fit with the various quality and management systems already being utilized by medical device manufacturers, their contract manufacturers and vendors, and healthcare sector providers at all levels (medical device users and healthcare sector IT infrastructure). Medical device manufacturers and IT developers are an important pillar in the national and global healthcare sectors and are in the unique position to design in safety where possible.
One of the advantages of digital technology is the speed with which it may evolve and improve. However, this same rapid pace of development opens up opportunities for the nefarious use or targeting of sensitive digital technologies when these technologies reach the market. In the healthcare sector, those involved in health delivery, health delivery security, and health IT are often the first to discover malfunctions and faults as well as possible and known security breaches or vulnerabilities. Therefore, communication between all parties involved in the healthcare sector is key.
The JCWG intends the JSP to provide a framework for addressing needed transparency and disclosure between vendors and end users as well as cybersecurity by design and throughout the product lifecycle, including product end of life.
What medical device manufacturers need to know
In an effort to leverage existing resources and experience and make implementation of the JSP as easy as possible, specifically concerning the design and development of medical devices, care was taken to align the core principles of the JSP with those already used in medical device design and development globally. Many of the principles utilized will be familiar to those already operating under quality and management systems defined in medical device standards and regulations such as ISO 13485 and ISO 14997 internationally, FDA 21 CFR Part 820 in the United States, and the new Medical Device Regulation (MDR) in the EU. The JSP, like these standards and regulations, addresses the total product lifecycle and the JSP should serve as a reference guide for all stages of device design and development, including deploying, supporting, and decommissioning cybersecure technology solutions.
The JSP addresses the following key principles:
- Cybersecurity practices in design and development of medical technology products
- Handling product complaints relating to cybersecurity incidents and vulnerabilities
- Managing security risk throughout the lifecycle of medical technology
- Assessing the maturity of a product cybersecurity program
Those of you already actively engaged in medical device development employing software and/or interoperative capabilities should already be familiar with all these principles as they closely mirror those advanced by the FDA over the past decade. These can be found in the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices published in 2005 and Postmarket Management of Cybersecurity in Medical Devices published in 2016. In the former guidance, FDA addressed the following key principles:
- Sharing responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices
- Addressing cybersecurity during the design and development of the medical device
- Establishing design inputs for devices related to cybersecurity and establishing a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g)
In the 2016 guidance, the FDA recommends that manufacturers apply the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity in the development and implementation of a medical device manufacturer’s comprehensive cybersecurity program. This framework entails the following:
- Establishing and communicating processes for vulnerability intake and handling
- Adopting a coordinated disclosure policy and practice
- Deploying mitigations that address cybersecurity risk early and prior to exploitation
- Engaging in collaborative information sharing for cyber vulnerabilities and threats
Use of a risk-based framework, including risk management, design controls, and post-market surveillance are essential to ensuring risks to the public health are addressed in a continual and timely fashion. For device manufacturers and their partners, this is best achieved by leveraging or amending their existing quality management systems and post-market procedures and processes as well as fostering a collaborative and coordinated approach to information sharing and risk assessment.
The publication of the JSP, a result of one such collaborative effort, is one mechanism being employed to facilitate coordination and greater adaptation of these fundamentals by all stakeholders. The JSP provides multiple appendices containing insights, methods, and tools for implementing medical device cybersecurity design control, conducting cybersecurity risk management, and complaint handling and reporting involving cybersecurity threats and failures that may be utilized by all stakeholders in fulfilling their part in ensuring a safer digital world and healthier tomorrow.
 Healthcare and Public Health Sector Coordinating Council (HSCC). (2019, January 28). The Joint Security Plan (JSP). Retrieved fromhttps://healthsectorcouncil.org/the-joint-security-plan/.
 Center for Devices and Radiological Health. (2005, May). Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices. Retrieved fromhttps://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices.
 Center for Devices and Radiological Health. (2016, December). Postmarket Management of Cybersecurity in Medical Devices. Retrieved fromhttps://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices.
 Barrett, M. P. (2018, November 10). Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. Retrieved fromhttps://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11.