Rachel Klemovitch, Assistant Editor03.19.24
The Healthcare and Public Health SectorCoordinating Council (HSCC) Cybersecurity Working Group published updated recommendations for manufacturing and managing secure medical devices for clinical practice. The “Medical Device and Health IT Joint Security Plan (JSP) 2.0” provides important updates on the original JSP published in 2019.
JSP offers a complete product lifestyle reference guide to developing, deploying, and supporting cyber-secure technology solutions in the healthcare environment. JSP uses “secure-by-default” and “secure-by-design” principles throughout product medical devices and health IT solutions lifecycles.
The JSP 2.0 makes significant steps forward in goals #6 and #7 in HSCC’s five-year Health Industry Cybersecurity Strategic Plan (HIC-SP). The updated JSP identifies shared responsibility between stakeholders, medical technology manufacturers, and health provider organizations to harmonize security-related standards, risk assessment methodologies, and vulnerability reporting requirements.
HSCC executive director, Greg Garcia commented, “Since the JSP was first published in 2019, there has been a growth in attention to its continuing imperative that manufacturers build security into the total lifecycle of medical devices, and that their customers expect it. Indeed, the JSP was prepared by an influential cross section of health providers and device manufacturers, as well as FDA, as a living document that should be updated as threats, practices, and policy evolve.”
In June 2017 the Health Care Industry Cybersecurity (HCIC) Task Force urged for increased security and resilience efforts of medical devices and health IT. The JSP 2.0 responds to these recommendations. The Department of Health and Human Services established the HCIC per the directions of the Cyber Security Act of 2015.
“Patient safety is the top priority for both hospitals and medical device manufacturers. One aspect of patient safety involves taking actions to protect against cybersecurity threats,” said initiative co-chair and senior director of clinical security at MedSec, Debra Bruemmer. “The JSP emphasizes these actions as a shared responsibility. It guides manufacturers toward how to build security into products and assess and communicate security vulnerabilities throughout a device’s lifecycle. To leverage the actions of manufacturers, hospitals need to have processes to handle vulnerability disclosures, apply software patches and plan for products reaching end of support. Ultimately, it is the patient who benefits from these joint efforts.”
Chris Reed, Vice President of Product Security, Medtronic, and co-chair of the initiative said, “Medical device product security programs are critical to patient safety and product quality, which is why the updated JSP focused on organizing important content so it’s easy to use and reference. Most notably, this resource was developed in partnership with Healthcare Delivery Organizations to ensure the voice of the customer is represented in the product security activities detailed in the document. This resource can help medical device manufacturers of all sizes understand and mature product security activities that help ensure the delivery of safe, secure and effective products. I have personally leveraged the JSP since its initial release to build and mature medical device product security programs and am excited for more organizations to utilize it.”
“The FDA’s partnership with HSCC in developing the JSP is another step among regulators, industry and the healthcare sector to help manage cybersecurity threats related to medical devices.” Dr. Ross, a co-chair of the initiative added, “This collaboration aligns with the FDA’s regulatory work to assure that patients and providers have timely and continued access to safe, effective and high-quality medical devices,” said, the deputy director for the Office of Readiness and Response at the FDA’s Center for Devices and Radiological Health, Office of Strategic Partnership and Technology Innovation, Aftin Ross.
JSP offers a complete product lifestyle reference guide to developing, deploying, and supporting cyber-secure technology solutions in the healthcare environment. JSP uses “secure-by-default” and “secure-by-design” principles throughout product medical devices and health IT solutions lifecycles.
The JSP 2.0 makes significant steps forward in goals #6 and #7 in HSCC’s five-year Health Industry Cybersecurity Strategic Plan (HIC-SP). The updated JSP identifies shared responsibility between stakeholders, medical technology manufacturers, and health provider organizations to harmonize security-related standards, risk assessment methodologies, and vulnerability reporting requirements.
HSCC executive director, Greg Garcia commented, “Since the JSP was first published in 2019, there has been a growth in attention to its continuing imperative that manufacturers build security into the total lifecycle of medical devices, and that their customers expect it. Indeed, the JSP was prepared by an influential cross section of health providers and device manufacturers, as well as FDA, as a living document that should be updated as threats, practices, and policy evolve.”
In June 2017 the Health Care Industry Cybersecurity (HCIC) Task Force urged for increased security and resilience efforts of medical devices and health IT. The JSP 2.0 responds to these recommendations. The Department of Health and Human Services established the HCIC per the directions of the Cyber Security Act of 2015.
“Patient safety is the top priority for both hospitals and medical device manufacturers. One aspect of patient safety involves taking actions to protect against cybersecurity threats,” said initiative co-chair and senior director of clinical security at MedSec, Debra Bruemmer. “The JSP emphasizes these actions as a shared responsibility. It guides manufacturers toward how to build security into products and assess and communicate security vulnerabilities throughout a device’s lifecycle. To leverage the actions of manufacturers, hospitals need to have processes to handle vulnerability disclosures, apply software patches and plan for products reaching end of support. Ultimately, it is the patient who benefits from these joint efforts.”
Chris Reed, Vice President of Product Security, Medtronic, and co-chair of the initiative said, “Medical device product security programs are critical to patient safety and product quality, which is why the updated JSP focused on organizing important content so it’s easy to use and reference. Most notably, this resource was developed in partnership with Healthcare Delivery Organizations to ensure the voice of the customer is represented in the product security activities detailed in the document. This resource can help medical device manufacturers of all sizes understand and mature product security activities that help ensure the delivery of safe, secure and effective products. I have personally leveraged the JSP since its initial release to build and mature medical device product security programs and am excited for more organizations to utilize it.”
“The FDA’s partnership with HSCC in developing the JSP is another step among regulators, industry and the healthcare sector to help manage cybersecurity threats related to medical devices.” Dr. Ross, a co-chair of the initiative added, “This collaboration aligns with the FDA’s regulatory work to assure that patients and providers have timely and continued access to safe, effective and high-quality medical devices,” said, the deputy director for the Office of Readiness and Response at the FDA’s Center for Devices and Radiological Health, Office of Strategic Partnership and Technology Innovation, Aftin Ross.