In an effort to improve data sharing and cybersecurity in medical devices, three national organizations have signed a new Memorandum of Understanding (MOU) outlining new measures device manufacturers should be aware of.
The National Health Information Sharing and Analysis Center (NH-ISAC), the National Device Innovation, Safety and Security Consortium (MDISS), and the U.S. Food and Drug Administration (FDA) Center for Devices an Radiological Health (CDRH) have each signed off on the new set of goals aimed at mitigating cybersecurity threats.
[Free White Paper:] FDA Trends & Developments in the Medical Device Industry: 2016
We've summarized the four key objectives laid out in the MOU along with general considerations for device companies.
1. Encourage Stakeholders to Share Cybersecurity Vulnerabilities
FDA intends to establish a system for sharing cybersecurity vulnerabilities and threats with the NH-ISAC and MDISS. The MOU does not authorize, and FDA does not intend to, share confidential commercial, trade secret, or personal privacy information with NH-ISAC or MDISS.
Conversely, NH-ISAC and MDISS will work to establish a mechanism for sharing cybersecurity vulnerabilities relevant to medical devices with FDA, such that the existing agreements among NH-ISAC and MDISS members will not be infringed upon.
For device manufacturers whose products may be threatened by cybersecurity risks, begin documenting and prioritizing those potential risks for eventual submission to these proposed systems.
2. Promote the Framework for Improving Critical Infrastructure Cybersecurity
The Framework for Improving Critical Infrastructure Standards and Technology is a set of voluntary, risk-based standards and best practices designed to help organizations manage cybersecurity risks as an extension of Executive Order 13636, "Improving Critical Infrastructure Cybersecurity."
Specifically, the framework lays out cost-effective ways companies can manage cybersecurity risks without taking on new regulatory requirements.
Device manufacturers should closely examine these guidelines and take an active role in adapting its principles and best practices to address the unique cybersecurity needs they may be facing now and in the future.
The framework is particularly relevant for international manufacturers as it references globally recognized standards for cybersecurity—an important tool for building international cooperation with outside organizations.
3. Encourage Innovative Strategies for Identifying and Preventing Vulnerabilities
Device companies should consider novel strategies to both address current cybersecurity risks and anticipate those that may arise in the future. The MOU conveys the ongoing support of these initiatives by the organizations involved.
Look to existing resources on the subject, such as HIPAA's recent presentation, Medical Device Cybersecurity: Moving The Needle Together, as a helpful starting point for developing innovative new strategies.
4. Build Trust Within the HPH Sector
Want to learn more key developments medical device companies should be aware of in 2016? Download our free white paper: FDA Trends & Developments in the Medical Device Industry: 2016.