In an effort to improve data sharing and cybersecurity in medical devices, three national organizations have signed a new Memorandum of Understanding (MOU) outlining new measures device manufacturers should be aware of.
The National Health Information Sharing and Analysis Center (NH-ISAC), the National Device Innovation, Safety and Security Consortium (MDISS), and the U.S. Food and Drug Administration (FDA) Center for Devices an Radiological Health (CDRH) have each signed off on the new set of goals aimed at mitigating cybersecurity threats.
[Free White Paper:] FDA Trends & Developments in the Medical Device Industry: 2016
We've summarized the four key objectives laid out in the MOU along with general considerations for device companies.
1. Encourage Stakeholders to Share Cybersecurity Vulnerabilities
"Create an environment that fosters stakeholder collaboration and communication, and encourages the sharing of information about cybersecurity vulnerabilities that may affect the safety, effectiveness and security of the medical devices, and/or the integrity and security of the surrounding healthcare IT infrastructure. Ultimately, exploited vulnerabilities may have downstream public health and patient safety consequences."
FDA intends to establish a system for sharing cybersecurity vulnerabilities and threats with the NH-ISAC and MDISS. The MOU does not authorize, and FDA does not intend to, share confidential commercial, trade secret, or personal privacy information with NH-ISAC or MDISS.
Conversely, NH-ISAC and MDISS will work to establish a mechanism for sharing cybersecurity vulnerabilities relevant to medical devices with FDA, such that the existing agreements among NH-ISAC and MDISS members will not be infringed upon.
For device manufacturers whose products may be threatened by cybersecurity risks, begin documenting and prioritizing those potential risks for eventual submission to these proposed systems.
2. Promote the Framework for Improving Critical Infrastructure Cybersecurity
"Develop awareness of the Framework for Improving Critical Infrastructure Cybersecurity (developed by the National Institute for Standards and Technology, herein referred to as NIST, with collective input from other government agencies and the private sector), and enable HPH sector stakeholders to successfully adapt and operationalize the framework for their organizations and products."
The Framework for Improving Critical Infrastructure Standards and Technology is a set of voluntary, risk-based standards and best practices designed to help organizations manage cybersecurity risks as an extension of Executive Order 13636, "Improving Critical Infrastructure Cybersecurity."
Specifically, the framework lays out cost-effective ways companies can manage cybersecurity risks without taking on new regulatory requirements.
Device manufacturers should closely examine these guidelines and take an active role in adapting its principles and best practices to address the unique cybersecurity needs they may be facing now and in the future.
The framework is particularly relevant for international manufacturers as it references globally recognized standards for cybersecurity––an important tool for building international cooperation with outside organizations.
3. Encourage Innovative Strategies for Identifying and Preventing Vulnerabilities
"The parties intend to collaborate to develop a shared understanding of the risks posed by cybersecurity vulnerabilities to medical devices. The parties also intend to foster the development of a shared risk assessment framework to enable stakeholders to consistently and efficiently assess patient safety and public health risks associated with identified cybersecurity vulnerabilities and take timely, appropriate action to mitigate the risks. This approach will also enable stakeholders to provide timely situational awareness to the HPH community and take efforts to preemptively address the cybersecurity vulnerability through appropriate mitigation and/or remediation before it impacts the safety, effectiveness or security of medical devices, or the integrity/security of the Healthcare IT infrastructure."
Device companies should consider novel strategies to both address current cybersecurity risks and anticipate those that may arise in the future. The MOU conveys the ongoing support of these initiatives by the organizations involved.
Look to existing resources on the subject, such as HIPAA's recent presentation, Medical Device Cybersecurity: Moving The Needle Together, as a helpful starting point for developing innovative new strategies.
4. Build Trust Within the HPH Sector
"Build a foundation of trust within the HPH community (including but not limited to medical device manufacturers, end user facilities, providers and healthcare organizations) so that all healthcare technology and medical device stakeholders can directly benefit from the sharing of cybersecurity vulnerability- and/or threat information identified within the HPH Sector, as well as intelligence feeds from other Critical Infrastructure Sectors that may secondarily affect healthcare and the public health. Gaining timely situational awareness of cybersecurity vulnerabilities that can have negative consequences for patient safety provides stakeholders with an opportunity to share solutions in advance of potential harm and possibly prevent economic or ‘brand’ damage. It would further enable owners and operators of critical infrastructure to proactively take appropriate measures to strengthen cybersecurity within the HPH sector with accuracy and agility."
Want to learn more key developments medical device companies should be aware of in 2016? Download our free white paper: FDA Trends & Developments in the Medical Device Industry: 2016.