The Healthcare Supply Chain Association has issued two recommendations aimed at healthcare delivery organisations and manufacturers that describe essential privacy and cyber security considerations for medical equipment.
The Healthcare Suppliers Council of America (HSCA) represents 14 healthcare purchasing groups in the United States, including for-profit and nonprofit health systems and provider companies. The new findings add to Mitre and the Medical Device Innovation Consortium’s earlier guidelines on medical device threat modelling, as well as The Healthcare and Public Health Sector Coordinating Council’s in-depth guide on the medical device security lifecycle.
After witnessing the rapid shift in remote care and telehealth use in the healthcare sector during the pandemic response, HSCA President and CEO Todd Ebert said in a statement that the insights “solidified the important role that information technology, software, and medical devices can play in improving patient care.”
“However, as previous breaches have demonstrated, medical devices and services are vulnerable to cybersecurity risks that may threaten patient health, safety, and privacy,” he added. “GPOs use their unique line of sight across the supply chain to assist providers in using the benefits of technology to better care for their patients while also protecting themselves from cyber risks.”
The guides are intended to assist both manufacturers and providers in safeguarding patient safety and privacy, and they offer recommendations for medical device security terms and conditions for purchasing contacts in order to facilitate the quick implementation of cyber security measures in healthcare.
Cybersecurity training and software, equipment and acquisition standards and risk coverage, data encryption, and information sharing and standards organisations are the four main areas of cybersecurity measures and recommendations. The handbook also clarifies key words and their potential security implications.
The designation of a security officer responsible for creating and maintaining connections with industry stakeholders, as well as recommended encryption requirements for data in transit, are among the major concerns for healthcare security administrators.
There are also tips on working with manufacturers and what to look out for when buying a product from a supplier or manufacturer. The advice is extremely useful, but only if a healthcare institution has effectively integrated a security team into the procurement process to guarantee that all devices introduced onto the network are built with security in mind.
The lack of optimised processes for buying devices, IT, and systems for the company is one of the major gaps in medical device security, with 2018 research showing that the average healthcare setting contains about 10,000 medical devices.
Finally, the guidance includes specific recommendations for device makers and service providers, such as evidence of compliance with industry standards and the information these parties should disclose to healthcare institutions, especially in the case of legacy or vulnerable platforms.
Curt Miller, Executive Director of the HSCA Committee for Healthcare eStandards (ChES), highlighted that as the usage of connected medical devices and software as a service (SaaS) grows in healthcare, so do the hazards to patients and the organisation.
The instructions can help encourage sustained adoption and developments in IT and medical device infrastructure to better ensure patient safety, especially as the Department of Health and Human Services ramps up interoperability efforts across the industry in the next year.
Because no medical device stands alone, and there’s no way to totally eliminate the risk these devices offer, lowering the potential impact on the whole network is critical, as prior Forescout data revealed.
Device maintenance and security is a “joint obligation of the manufacturers and providers of connected devices and services, as well as the healthcare delivery organisations” that use the platforms, according to security researchers.
According to the HSCA, “providing this security is a continuous effort that necessitates vigilance, adaptation, and continuing communication and collaboration between the parties.” As a result, the HSCA emphasised the significance of at the very least joining and participating in an I-SAC or I-SAO, as well as utilising a risk assessment methodology and standards-based security framework, such as NIST.
All stakeholders should use the guidance to address the accelerated adoption of these devices to decrease risk and promote “industry-wide data standards for increasing efficiencies and safety throughout the healthcare supply chain,” according to the trade group’s leadership.