The Healthcare and Public Health Sector Coordinating Council (HSCC) published a report earlier this week with recommendations for managing the security of medical devices in clinical practice. This ‘Joint Medical Device Security Lifecycle Guidance’ aims to help all stakeholders secure devices throughout the product lifecycle. The HSCC is a public-private collaboration, made up of the FDA, Cerner, Mayo Clinic, and others.
The report acknowledged that both vendors and organisations struggle with integrating device security into current processes – attributed to a lack of recognition of its importance – and being unsure about where to start or having insufficient resources.
The first step in recommendations is for organisations to define their governance processes, including roles, responsibilities and personnel training. This stage also includes making strategic decisions, establishing goals and tracking the maturity of device security against the framework. The results of the maturity evaluation are advised to be shared with customers and HSCC, in order to improve future frameworks. The report also suggested that adoption should be driven by mapping cybersecurity activities and processes into existing processes, while simultaneously reducing redundant processes.
Risk assessments are of course crucial to ensuring patient safety throughout all stages of the medical device lifecycle. HSCC recommended both vendors and health providers build a risk register or log which tracks remediation and framework activities as well as mapping known vulnerabilities or risks.
The HSCC highlighted the need for design controls of policies and procedures to ensure that product design inputs are met so that correct requirements can be developed. The report also contained guidance around design input requirements, including system hardening standards and vulnerability scanning, and software requirements, secure coding standards, and code analysis.
Recommendations were also made to vendors to routinely identify, apply, and maintain system-patching throughout the product development process for products and components, and consider remediation planning within a reasonable timeframe, which includes product and component upgrade. Designed for organisations of all sizes, HSCC said it hopes the guidance will “inspire organisations to raise the bar for product cybersecurity posture.”