The second episode of the seven-part CHIME Medical Device Security webinar series aired last week. The episode addressed the topic of aligning healthcare cybersecurity for connected medical devices with a new cybersecurity law for healthcare. Once again, I moderated the episode under my new role as, Senior Account Executive with Nuvolo. I was joined by two industry experts who weighed in on the subject. Erik Decker, the CISO of Intermountain Healthcare, former Board Chair of the Association for Executives in Healthcare Information Security (AEHIS), and co-leader of the HHS task group implementing the Cybersecurity Act of 2015. Returning from Episode One was Rob Suárez, CISO of Becton Dickinson (BD) and chairman of the Medical Device Innovation Consortium’s (MDIC) Cybersecurity Steering Committee and the Advanced Medical Technology Association’s (AdvaMed) Cybersecurity Work Group.
The Cybersecurity Act of 2015, in particular its 405(d) provision, expressly calls out the healthcare industry. While the name “405(d)” offers little insight as to the legislation’s relevance to medical device security, Mr. Decker is uniquely positioned, perhaps more so than anyone else, to elaborate on its significance. As he explained, healthcare is officially designated as critical infrastructure and simply requires more protection. Cyber-attacks to hospital operations are direct threats to patient safety, and compromises to highly sensitive electronic health information threatens patient privacy rights. Ransomware attempts against healthcare are increasing, rising 123% in 2020, incurring $20.8 billion in downtime costs. 405(d) mandates the formation of an industry-led task group to publish a compendium of cybersecurity best practices, frameworks, methodologies, technologies, and other recommendations to serve as a set of Federally recognized cybersecurity practices that afford legal safe harbor to Health Delivery Organizations (HDOs) when implemented. In the words of Mr. Decker, “It’s a way to draw a line in the sand and say, ‘here is an example of what you can do that demonstrates best practice’; and if you do it, you get a benefit for it; and if you don’t, you might be hindered by it.” The cornerstone publication of the 405(d)-task group is Health Industry Cybersecurity Practices (HICP, pronounced liked ‘hiccup’). Comprised of three primary volumes, HICP has a main document providing a high-level summary of the threats and recommendations, and two technical volumes prescribing specific practices, including connected medical devices, to be implemented by IT specialists of small, medium, and large HDOs. Under the new law, Public Law 116-321, following the best practices for medical device security detailed in HICP will require the Office of Civil Rights within the HHS (OCR) to consider reductions in fines, audits and post breach oversight.
Next, Mr. Suárez discussed the Medical Device and Health IT Joint Security Plan (JSP), authored by a Healthcare and Public Health Sector Coordinating Council (HSCC) task group in 2019, which Mr. Suárez co-chaired. The JSP document proposes a voluntary framework in which responsibility for medical device security is disseminated across healthcare stakeholder organizations. Under the JSP, MDMs proactively aid their customers by developing and communicating processes, personnel training recommendations, device life-cycle strategy, vulnerability patches, decommissioning plans, and incorporating HDO feedback into future product design. HDOs work with their vendors to establish baseline best practices and measures of device maturity and process effectiveness, communicate complaints and discovered vulnerabilities, and institute remediation procedures.
Episode Three of CHIME’s Medical Device Security webinar series airs on Thursday, August 5th. If you missed Episodes One, you can view my recap here, or register for the entire series at https://store.ignitedigital.org/product?catalog=medical_device_security_webinar_series.
- 405d: A provision within the Cybersecurity Act of 2015 (CSA). The CSA 405(d) document aims to raise awareness, provide vetted practices, and foster consistency in mitigating the most pertinent and current cybersecurity threats to the sector. It seeks to aid the Healthcare and Public Health (HPH) sector organizations to develop meaningful cybersecurity objectives and outcomes.
- AdvaMed: Advanced Medical Technology Association
- AEHIS: Association for Executives in Healthcare Information Security
- BD: Becton Dickinson
- CHIME: College of Healthcare Information Management Executives
- HDOs: Health Delivery Organizations
- HHS: Health and Human Services
- HICP: Health Industry Cybersecurity Practices
- HSCC: Healthcare and Public Health Sector Coordinating Council
- JSP:Medical Device and Health IT Joint Security Plan
- MDIC: Medical Device Innovation Consotium
- MDM: Medical Device Manufacturers
- OCR: Office of Civil Rights within the HHS
- Public Law 116-321: An act to amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognize security practices of covered entities and business associates when making certain determinations, and for other purposes