Getty Images

HSCA Releases Cybersecurity Guidelines for Medical Device Manufacturers

The Healthcare Supply Chain Association released guidelines for medical device manufacturers and providers regarding cybersecurity and patient privacy.

The Healthcare Supply Chain Association (HSCA) released guidance for medical device manufacturers and healthcare providers concerning cybersecurity and patient privacy practices.

HSCA is a trade association that represents healthcare group purchasing organizations (GPOs) across the US with the goal of advocating for fair procurement practices and education to improve efficiency in the purchase and sale of healthcare goods and services, its website states.

HSCA’s new cybersecurity guidance involves four main categories of consideration: cybersecurity training and software, equipment acquisition standards and risk coverage, data encryption, and information sharing and standards organizations.

The guidance provided tips for both healthcare organizations and medical device manufacturers to identify red flags before doing business with a new vendor or organization. It is crucial that third-party vendors hold themselves to strict cybersecurity standards to ensure patient data privacy.

“The widespread adoption of telemedicine and rapid shift to virtual operations during the COVID-19 pandemic has underscored the important role that information technology, software, and medical devices can play in improving patient care,” Todd Ebert, HSCA president and CEO, explained in an accompanying press release.

“However, as evidenced by recent cyberattacks, medical devices and services are vulnerable to cybersecurity threats that could jeopardize patient health, safety, and privacy. GPOs leverage their unique line of sight over the supply chain to help providers harness the benefits of technology to care for their patients while guarding against cyber threats.”

Medical device security concerns were brought to the forefront in the past year following multiple vulnerability disclosures that could pose risks to patient safety. Barriers to achieving medical device security include a lack of visibility into how many devices are on a hospital’s network and a large number of outdated legacy devices that cannot be patched.

To mitigate these challenges, HSCA recommended that healthcare organizations and suppliers should at the very least participate in one or more information sharing and analysis organizations (ISAOs), such as the Health Information Sharing and Analysis Center (H-ISAC). HSCA advised against working with any manufacturer that does not actively participate in an ISAO.

“Information sharing among the user community is a significant factor in battling cybercriminals and participation in ISAOs is a platform for such sharing and a factor in improving the cybersecurity of all participants,” the guidance suggested.

“Terms of sale, including non-disclosure agreements, should not prohibit [healthcare organizations] from participating in ISAOs or other cybersecurity information sharing initiatives.”

Organizations should also designate an information technology officer or a network security officer to oversee cybersecurity across the organization. In addition, every employee should receive role-appropriate cybersecurity training and assessments. The training should include phishing tests and education on basic cyber hygiene practices.

HSCA also suggested that healthcare organizations and suppliers install firewalls, use network segmentation, and restrict user access to data and systems based on need. Protected health information (PHI) and personally identifiable information (PII) should always be encrypted.

“In cases where manufacturers are selling devices that rely on software no longer supported by a third party, the [healthcare organization] should be sure to consider any additional expenses that will be incurred to securely implement and maintain the devices,” the guidance continued.

Healthcare organizations should ensure that purchase agreements for medical devices and services contain appropriate liability and warranty provisions and that their insurance policies cover cybersecurity risks. Conducting cyber risk assessments and testing devices is also critical to ensuring patient privacy and safety.

On the manufacturer side, HSCA recommended that suppliers ensure compliance with current US Food and Drug Administration (FDA) guidance and industry standards. Medical device manufacturers should also provide a software bill of materials (SBOM) for any device that can be connected to a network.

“Although compliance with current guidelines can significantly reduce the cybersecurity risks associated with medical devices and services, legacy devices and possible future noncompliance pose ongoing risks,” the guidance noted.

HSCA suggested that manufacturers should assume responsibility for the security of legacy devices, knowing that it can be difficult for healthcare organizations to entirely discontinue or replace those devices. Manufacturers should work to upgrade the devices to current security standards to the best of their ability.

Additionally, HSCA recommended that medical device manufacturers provide reliable and timely information on any cybersecurity vulnerabilities that may arise in their products, along with guidance on what should be done to mitigate risk and patch devices.

Healthcare organizations and medical device manufacturers have an obligation to work together to communicate and mitigate risk while keeping patient safety and privacy as their top priority.

Next Steps

Dig Deeper on Cybersecurity strategies