Attacks and Vulnerabilities
Control device security
Critical infrastructure
IT/OT Collaboration
Medical
News

HSCA outlines cybersecurity considerations for medical device manufacturers, HDOs, service providers

January 04, 2022
HSCA outlines cybersecurity considerations for medical device manufacturers, HDOs, service providers

The Healthcare Supply Chain Association (HSCA) has highlighted cybersecurity considerations for medical device manufacturers, healthcare delivery organizations (HDOs), and service providers to help safeguard patient health, safety, and privacy. Given its unique view of the entire healthcare supply chain, the HSCA also made key cybersecurity recommendations to medical device manufacturers, HDOs, and service providers. 

Recognizing that medical devices and services are vulnerable to cybersecurity threats that could jeopardize patient health, safety, and privacy, HSCA said that the increased use of connected medical devices and software as a service (SaaS), adoption of wireless technology, and overall increased medical device and service connectivity to the internet significantly increase the risks of cybersecurity threats.

The agency also said that maintaining device and information security is a shared responsibility of the manufacturers and suppliers of connected devices and services, as well as the HDOs that use them. Providing this security is a continual effort that requires vigilance, adaptation, and ongoing communication and collaboration between the parties.

Based in Washington D.C., the HSCA and its group purchasing organization (GPO) members are the sourcing and purchasing partners to America’s hospitals, long-term care facilities, surgery centers, clinics, and other HDOs. 

“The widespread adoption of telemedicine and rapid shift to virtual operations during the COVID-19 pandemic has underscored the important role that information technology, software, and medical devices can play in improving patient care,” Todd Ebert, HSCA president and CEO, said in a media statement. “However, as evidenced by recent cyberattacks, medical devices and services are vulnerable to cybersecurity threats that could jeopardize patient health, safety, and privacy. GPOs leverage their unique line of sight over the supply chain to help providers harness the benefits of technology to care for their patients while guarding against cyber threats,” he added.

The ​​HSCA’s cybersecurity recommendations cover cybersecurity training and software that includes designating an information technology security officer, maintaining updated anti-virus software, and implementing role-appropriate cyber training and assessments. It also addressed equipment acquisition standards and risk coverage that covers ensuring compliance with regulatory standards for purchasing medical devices and updating legacy devices, providing insurance policies to cover cybersecurity risks, and validating devices by testing manufacturer claims.

The agency also covered data encryption to include encrypting personal authentication data as well as any confidential or sensitive information, when practical. It also covered information sharing and standards organizations that include participating in Information Sharing and Analysis Organizations (ISAOs). The recommendations also included that the HSCA also certify that suppliers of network-accessible medical devices, software, and services be compliant with the current U.S. Food and Drug Administration (FDA) guidance documents. It also seeks to ensure that manufacturers provide a manufacturer disclosure statement for medical device security (MDS2).

In addition to these measures, the HSCA also published ‘Recommendations for Medical Device Cybersecurity Terms and Conditions,’ which details potential purchasing contract terms and conditions that could help ensure rapid adoption of rigorous cybersecurity measures.

The agency calls upon HDOs, medical device manufacturers, and service suppliers to designate an information technology and/or network security officer to be responsible for the security of the organization, services, and products. Such employees with network access should receive role-appropriate periodic training and assessments, at least annually, on cybersecurity. Training should include periodic phishing tests with additional training provided for employees who fail tests or assessments. 

HSCA also called upon organizations to have processes for implementing and maintaining anti-virus/anti-malware software, in addition to putting in place appropriate patching processes. Organizations should also install firewalls and use network segmentation to provide least-privilege access to system resources and data where appropriate to further minimize risks.

The agency also advised HDOs to avoid acquiring devices for which a supplier is unable or unwilling to provide an MDS2 utilizing the most recent template. In addition, purchase agreements for medical devices and services should contain appropriate liability and warranty provisions, and HDOs’ insurance policies should cover cybersecurity risks with appropriate minimum coverage.

The healthcare sector has been forced to deal with ransomware attacks on HDOs while coping with increased pressures brought on by the raging COVID-19 pandemic. In addition to affecting patient care, such cybersecurity incidents can lead to more complications from medical procedures, delays in procedures and tests that resulted in poor outcomes, the upturn in patients transferred or diverted to other facilities, and longer lengths of stay. 
Towards the end of last year, the healthcare and public health (HPH) sector organizations also had to take immediate actions to protect against Log4j exploitation.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Growing threat of malware and ransomware attacks continues to put industrial environments at risk
Growing threat of malware and ransomware attacks continues to put industrial environments at risk
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
Sygnia
Sygnia aligns with NVIDIA, revolutionizes OT security for energy and industrial sectors
Armexa adds John Cusimano as vice president to its leadership team
Armexa, ISA partner to offer standards-based OT cybersecurity training
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Insane Cyber
Insane Cyber closes $4.2 million funding round to safeguard critical infrastructure installations
Building a Culture of Cyber Resilience in Manufacturing (WEF)
WEF playbook addresses cyber resilience in manufacturing and supply chains, provides three guiding principles
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience