While securing medical devices is often approached differently than infosec and protecting more traditional IT, the Healthcare and Public Health Sector Coordinating Council (HSCC) said the time has come to tackle both together.
WHY IT MATTERS
Security can be difficult to integrate into existing processes, the JSP said. Reasons for this vary, including organizations not realizing the importance of cybersecurity measures for medical devices; not knowing where to start; and insufficient resources.
To that end, HSCC, comprised of more than 60 representatives from the Food and Drug Administration, the medical technology and health IT industries and healthcare provider organizations, released a new report on how to keep medical devices safer.
The 53-page report, titled “The Medical Device and Health IT Joint Security Plan (JSP),” is the result of a recommendation from the Health Care Industry Cybersecurity Task Force issued in June 2017, calling for a cross-sector strategy to strengthen cybersecurity in medical devices.
“Software-based medical technologies have the potential to positively impact patient care,” according to the report. “However, as these products become more connected, product cybersecurity becomes increasingly important as there is the potential for patient harm and disruption of care if products or clinical operations become impacted because of a cybersecurity concern.”
THE LARGER TREND
Often CEOs and CFOs underinvest in cybersecurity, our sister publication, Healthcare Finance News, reported earlier this month. Despite the shockwaves that rippled through healthcare after massive cyberattacks such as WannaCry and NotPetya, selling cybersecurity to system executives and other decision makers is still a regular hurdle for CIOs and CISOs. Because these executives and their board members are often not cybersecurity experts, it’s important for CIOs to explain the dangers in terms they can digest, with “real-life resonance.”
Conventional IT has had years to implement programs for securing assets and data, but the protection of the Internet of Medical Things is not yet at the same maturity level.
“Since data is the coin of the realm in healthcare, this phenomenon has been embraced by makers of medical equipment and has spurred innovation in a great many cases,” Matthew Broomhall, CTO of technology support services for healthcare at IBM told Healthcare IT News, Jan. 8. “If you contrast this to information technology as we understand it today, IT has had years to implement programs to protect IT assets and data.”
CIOs and CISOs now must accelerate programs to insure their medical devices are protected and therefore the data these devices generate and exchange, Broomhall said.
ON THE RECORD
The report emphasizes that cyber security is a shared responsibility. Development, deployment and supporting cybersecure solutions across the entire lifecycle of a product are important. The report is intended to be globally applicable, authors of the report say.
“Our primary ask of organizations is to make a commitment to implementing the JSP as it is expected that patient safety will be positively impacted as a result,” say the authors of the newly released Medical Device and Health IT Joint Security Plan.
Diana Manos is a Washington, D.C.-area freelance writer specializing in healthcare, wellness and technology.