Cybersecurity: FDA, Industry Groups Welcome Joint Plan
The Healthcare and Public Health Sector Coordinating Council (HSCC) released a new medical device and health IT joint security plan (JSP) Monday to serve as a reference guide for strengthened cybersecurity.Industry-driven public-private partnership HSCC developed the new JSP in response to 2017 recommendations from the Health Care Industry Cybersecurity Task Force. It specifically addresses the second imperative identified by the task force—increase the security and resilience of medical devices and health IT. The JSP has already been touted by device industry groups and agency officials.
HSCC’s plan “simplifies what FDA and others can do to achieve collaboration” around issues in medical device cybersecurity, US Food and Drug Administration (FDA) Commissioner Scott Gottlieb said at a public workshop Tuesday on the content of premarket submissions for cybersecurity management.
Issues exacerbated when the health care sector became a prime target for cyber-attacks and ransomware in recent years include adequately identifying design and documentation requirements for medical device premarket submissions, among several others.
“Challenges include but are not limited to transparency and disclosure between vendors and end users, security by design and throughout the product lifecycle, and product end of life,” the JSP states. This prompted a renewed approach in the fight against cyber vulnerabilities that compromise device performance and pose a risk to patient safety.
The renewed approach led to the adoption of key themes and terminologies. Certain themes seen in FDA’s October 2018 redraft of its 2014 final guidance on the content of premarket submissions are also reflected in the JSP, such as cybersecurity as a shared responsibility and extending considerations throughout the total product lifecycle (TPLC). The JSP places greater emphasis on TPLC as its scope ranges from development and deployment to product and customer support post-market, whereas the agency’s guidance documents address cybersecurity in premarket settings separately from postmarket.
The JSP is a product of a collaboration between a group of medical device manufacturers and health care delivery systems. FDA assisted in the development process as well. It sets forth a new framework to aid manufacturers, health IT vendors and providers in crafting policies and procedures “that align and integrate into existing processes.” HSCC anticipates future iterations of the JSP and welcomes feedback on its initial version.
In addition to shared responsibility, the JSP stresses building security into design and continuous improvement. “For the successful use of the JSP, an initial step is to be able to define the governance process as it relates to organizational roles and responsibilities and the needs for personnel training,” the 53-page JSP states. It goes on to detail an implementation framework for product security.
The proposed framework for adopting the activities and processes that comprise the JSP into existing processes is separated into three overarching categories. These include risk management, design control, as well as customer complaint handling and reporting. The JSP also describes how to evaluate progress post-adoption based on maturity assessments, which are used for FDA’s Case for Quality pilot.
The JSP includes a total of 11 appendixes—six of which provide examples on certain components in the framework. It was released in conjunction with a new JSP infographic and an FAQ document.