Healthcare Information Technology

Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices

Posted by HIPAA Journal

U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).

Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices.

Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices.

Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is often as an afterthought. Most IoT devices have not been designed with security in mind and the market encourages device manufacturers to prioritize convenience and cost over security.

The bill calls for NIST to issue recommendations for IoT device manufacturers on secure development, identity management, configuration management, and patching throughout the life-cycle of the devices. NIST will also be required to work with cybersecurity researchers and industry experts to develop guidance on coordinated vulnerability disclosures to ensure flaws are addressed when they are discovered.

The Internet of Things Improvement Act calls for the Office of Management and Budget (OMB) to issue guidelines for each agency that is consistent with NIST recommendations and for policies to be reviewed at least every five years.

Any IoT device used by the federal government will be required to meet the security standards set by NIST and contractors and vendors that provide IoT devices to the government will be required to adopt coordinated vulnerability disclosure policies to ensure information on vulnerabilities is disseminated.

It is important that IoT devices do not give hackers a backdoor into government networks. Without minimum security standards, the government will be vulnerable to attack and critical national security information will be placed at risk.

The Internet of Things Improvement Act will see the U.S. government lead by example and better manage cyber risks.

The bill is supported by many software and security firms and industry associations, including BSA, Symantec, Tenable, Mozilla, CloudFlare, Rapid7, and CTIA.

The post Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices appeared first on HIPAA Journal.

Workplace Safety Survey Shows Communication Issues are Placing Employees at Risk

Posted by HIPAA Journal

Framingham, MA-based Rave Mobile Safety has published the results of its annual workplace safety and preparedness survey. The report shows that while preparedness for emergency is better than in 2017, there is still considerable room for improvement, especially in healthcare and education.

The survey was conducted on 540 full time employees in the United States across several industries. The aim of the survey was to identify trends in emergency planning, obtain the views of employees about workplace safety, and find out more about the efforts that have been made to ensure effective communication in the event of an emergency and alert employees at risk.

The survey shows companies are increasingly developing plans for modern emergencies, such as active shooters, workplace violence, and cyberattacks and system outages. However, greater effort is required to ensure that emergency plans are communicated to employees.

20% of workers were unaware of emergency plans for cyberattacks and system outages and 18% of workers were unaware of the emergency plan for active shooters and workplace violence. Figures from the National Safety Council indicate around 2 million individuals are victims of violence in the workplace every year and workplace violence is the third main cause of workplace deaths in the healthcare industry. Worryingly, 37% of women were unaware of workplace violence emergency plans, even though workplace violence is the second leading cause of death for women in the workplace.

Planning for emergencies is essential, but so too is testing emergency plans to make sure they are effective. Many companies have developed emergency plans yet have not tested them to make sure they work. 53% of surveyed employees said workplace violence plans were never tested and 55% said emergency plans for cyberattacks were never tested, even through there is a significant risk of both types of attack occurring.

The survey revealed traditional methods of communication in emergencies are in decline and many companies are now turning to mobile technology such as text messages and apps to communicate in emergency situations. Email is still the leading communication channel in emergencies, even though communication is slower than text messages and apps and in the event of a cyberattack, email may be taken out of action.

55% of companies used email to communicate with employees in emergency situations, even though only 11% of employees said they prefer this method of communication. Text message alerts were preferred by 50% of employees, yet only 44% of companies send text messages to alert employees about emergency situations.

“The survey gives great insight into how employees feel about their level of safety at work in the event of a possible emergency situation, but also demonstrates the disconnect that still exists between the communications channels employers use to inform their employees during emergencies and the way employees prefer to receive this information,” said Todd Piett, CEO of Rave Mobile Safety.

The post Workplace Safety Survey Shows Communication Issues are Placing Employees at Risk appeared first on HIPAA Journal.

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

Posted by HIPAA Journal

Implementing technical safeguards to prevent the exposure of electronic protected health information is a major challenge in healthcare, especially when it comes to securing mobile devices.

According to the Verizon Mobile Security Index 2019 report, 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months.

All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation.

Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months.

While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices.

85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to detect a security incident quickly. That confidence may be misplaced as a quarter of healthcare organizations have experienced a breach involving a mobile device and 80% of those entities learned about the breach from a third party.

Since mobile devices are often used to access or store ePHI, a security incident could easily result in a breach of ePHI. Two thirds (67%) of healthcare mobile security incidents were rated major breaches. 40% of those breaches had major lasting repercussions and, in 40% of cases, remediation was said to be difficult and expensive.

67% of mobile device security incidents saw other devices compromised, 60% of organizations said they experienced downtime as a result of the breach, and 60% said data was lost. 40% of healthcare organizations that experienced such a breach said multiple devices were compromised, downtime was experienced, and they lost data. 30% of breached entities said that cloud services had been compromised as a result of a mobile security breach.

The main security risks were seen to be how devices were used by employees. 53% of respondents said personal use of mobile devices posed a major security risk and 53% said user error was a major problem.

65% of healthcare organizations were less confident about their ability to protect mobile devices than other IT systems. Verizon notes that this could be explained, in part, by the lack of effective security measures in place. For instance, just 27% of healthcare organizations were using a private mobile network and only 22% had unified endpoint management (UEM) in place.

The survey also confirmed that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said they sacrificed security to get tasks completed compared to 32% last year. 81% said they use mobile devices to connect to public Wi-Fi even though in many cases doing so violates their company’s mobile device security policy.

The post 25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months appeared first on HIPAA Journal.

NHS to Phase Out Pagers by End of 2021

Posted by HIPAA Journal

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million).

Advantages and Disadvantages of Pagers in Healthcare

Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well.

However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are often written down and they can be forgotten or lost. When responding to messages, doctors often find the number is engaged and so begins a time-consuming game of phone tag. Pages also do not convey the sense of urgency.

To investigate the use of pagers, the Department of Health commissioned a report from CommonTime, a digital solutions company. The firm concluded that the devices should not continue to be used in the NHS and that it was surprising for legacy equipment such as pagers to still be relied upon in emergency situations.

UK Health Secretary Matt Hancock is keen to see legacy technology such as pagers phased out. He views emails and mobile phones as a better option in terms of speed, security, and cost. Pagers are expensive to run. Switching to alternative, modern methods of communication could save the NHS millions each year. The report suggests that the use of mobile devices and mobile software in place of pagers could save the NHS around £2.7 million ($3.57 million) a year.

Messaging Apps and Secure Email to Replace NHS Pagers

Secure messaging apps on smartphones are a viable alternative to pagers and can be run at a fraction of the cost. The apps offer similar capabilities as WhatsApp and Skype, but with enhanced security and message accountability.

The West Suffolk NHS Foundation Trust trialed the use of a smartphone app in 2017 and replaced all of its pagers and found that it saved a considerable amount of time communicating with doctors and saved on costs. The app allowed two-way communications between doctors, could be used by healthcare professionals to communicate with each other, allowed group chats, and worked on smartphones, tablets and desktops.

Mobile technology may improve security and allow the NHS to cut costs, but the technology is not without drawbacks. There are often dead-spots in hospitals where signals cannot be received on mobile devices, mobile networks can face slowdowns which delay the delivery of urgent messages, and there is potential for mobile devices to interfere with hospital equipment. Those issues will need to be resolved over the coming two years, although NHS Trusts will be permitted to keep some pagers for emergency situations, such as when mobile networks go down or hospital Wi-Fi goes offline.

Fax Machines to be Phased Out by 2020

The latest report follows a 2018 study by the Royal College of Surgeons which revealed that the NHS was still using around 9,000 fax machines to send documents. In December 2018, the Department of Health announced that fax machines would be phased out and would be replaced by secure, encrypted email to improve patient safety and cybersecurity. NHS Trusts have not been permitted to buy new fax machines since January 2019 and fax machines will be completely phased out by April 2020.

These are just two of the initiatives that Hancock is pursuing to update the technology used by the NHS. As the May 2017 WannaCry ransomware attacks showed, it is not just legacy equipment that is a problem. A study conducted after the attacks revealed 60% of NHS Trusts were still using Windows XP, even though the operating system is a major security risk and is no longer supported. In May 2018, the UK government signed a £150 million ($1.98 million) deal with Microsoft to upgrade all Windows XP and Windows 7 machines to Windows 10. That process will be completed by January 14, 2020.

The post NHS to Phase Out Pagers by End of 2021 appeared first on HIPAA Journal.

NIST NCCoE Releases Mobile Device Security Guidance

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has released final guidance on mobile device security to help organizations secure mobile devices and prevent data breaches.

Mobile devices offer convenience and allow data to be accessed from any location. Not only do they allow healthcare organizations to make cost savings, they are vital for remote workers who need access to patients’ health information. Mobile devices allow onsite and offsite workers to communicate information quickly and they can help to improve patient care and outcomes.

However, mobile devices introduce security risks. Stolen devices can be used to gain access to corporate email accounts, contacts, calendars, and other sensitive information stored on the devices or accessible through them.

There have been many cases where mobile healthcare devices have been lost or stolen causing the exposure of patients’ protected health information. Mobile device security failures have resulted in several financial penalties for HIPAA covered entities, including a $4,348,000 civil monetary penalty for University of Texas MD Anderson Cancer Center in 2018.

In healthcare, securing mobile devices and protecting sensitive data can be a major challenge. To help businesses and healthcare organizations improve mobile device security, NIST/NCCoE developed a Mobile Device Security Practice Guide.

The Guide – NIST Special Publication 1800-4 Mobile Device Security: Cloud & Hybrid Builds – gives practical advice on how commercially available technologies can be used to create an enterprise mobility management system that ensures mobile devices can be used to securely access sensitive information from inside and outside the corporate network while minimizing the impact on the user experience.

By using the guide, organizations can ensure that employees can access vital information safely and security from almost any location, over any network, on a range of mobile devices, while minimizing mobile device security risks.

The guide can be used to securely implement BYOD and COPE deployment models and leverage cloud services to improve security, enhance visibility for system administrators, provide instant alerts about security events, and push policies out to mobile devices and enforce them through operating systems or mobile applications.

The guide includes several how to examples that demonstrate how standards-based technologies can be used in real world situations to reduce the risk of unauthorized data access and intrusions while saving on research and proof of concept costs.

The guide can be viewed or downloaded from NIST/NCCoE on this link.

The post NIST NCCoE Releases Mobile Device Security Guidance appeared first on HIPAA Journal.

ONC and CMS Propose New Rules on Patient Access and Information Blocking

Posted by HIPAA Journal

On Monday, February 11, 2019, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) released new rules covering patient data access and information blocking.

The aim of the new rules is to advance interoperability and support the meaningful exchange and use of health information. The rules are intended to increase competition, encourage innovation, and give patients control over their health data.

One of the main goals is to make health information accessible via application programming interfaces (APIs). Currently consumers use a wide range of smartphone apps for paying bills and accessing information. It should be just as easy to gain access to healthcare data through apps and for healthcare data to be provided electronically at no cost.

One of the main requirements of the new rules is for healthcare providers and health plans to implement data sharing technologies that support the transition of care to new healthcare providers and health plans. Whenever a patient wishes to start seeing a new physician or wants to change to a new health plan, their health data should be seamlessly transferred.

The CMS rule proposes that by 2020, all healthcare organizations working with Medicare and Medicaid will be required to share health information and claims data with patients electronically via an API. This would make it easy for patents to change health plan and take their data with them. It will ensure that by 2020, 125 million patients will be able to receive their claims information electronically.

The ONC rule updates its conditions of certification, which require health IT developers to publish APIs that allow access to patient data without any special effort. The goal is for healthcare organizations to adopt standardized APIs to support the accessing of structured and unstructured health data via mobile devices.

The ONC rule implements the 21st Century Cure Act’s information blocking provisions and adds seven new exceptions to the information blocking rule – Actions and activities which are not classed as information blocking.

The new exceptions are:

  • Practices that prevent patients from being harmed
  • Practices that protect the privacy of electronic health information
  • Practices that ensure the security of electronic health information
  • Maintaining and improving health IT performance with user agreement
  • Recovering reasonable costs to allow the exchange, use, and accessing of electronic health information
  • Denying access, exchange, and use of electronic health information because it is unfeasible or would impose a substantial burden, which is unreasonable under the circumstances.
  • Licensing of technical artifacts to support the interoperability of electronic health information on reasonable and non-discriminatory terms

The ONC has proposed that healthcare providers found to be blocking information sharing should be named and shamed to discourage the practice and suggests that those organizations may also face financial penalties. “We are going to expose the bad actors who are purposely trying to keep patients from their own information,” explained CMS Administrator Seema Verma

Comments have also been requested on including pricing information along with electronic health information to allow patients to see exactly how much they are paying for their healthcare.

“These proposed rules strive to bring the nation’s healthcare system one step closer to a point where patients and clinicians have the access they need to all of a patient’s health information, helping them in making better choices about care and treatment,” said HHS Secretary Alex Azar. “By outlining specific requirements about electronic health information, we will be able to help patients, their caregivers, and providers securely access and share health information. These steps forward for health IT are essential to building a healthcare system that pays for value rather than procedures, especially through empowering patients as consumers.”

The post ONC and CMS Propose New Rules on Patient Access and Information Blocking appeared first on HIPAA Journal.

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Posted by HIPAA Journal

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps.

166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018.

This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident.

In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations.

The most common actors implicated in security incidents were online scam artists (28%) and negligent insiders (20%). Online scam artists used tactics such as phishing, spear phishing, whaling, and business email compromise to gain access to healthcare networks and data. Online scam artists often impersonate senior leaders in an organization and make requests for sensitive data and fraudulent wire transfers.

Threat actors use a variety of methods to gain access to healthcare networks and patient data, although a high percentage of security breaches in the past 12 months involved email. 59% of respondents said email was a main source of compromise. Human error was rated as a main source of compromise by 25% of respondents and was the second main cause of security incidents.

HIMSS said it is not surprising that so many healthcare organizations have experienced phishing attacks. Phishing attacks are easy to conduct, they are inexpensive, can be highly targeted, and they have a high success rate. Email accounts contain a trove of sensitive information such as financial data, the personal and health information of patients, technical data, and business information.

Even though email is one of the most common attack vectors, many healthcare organizations are not doing enough to reduce the risk of attacks. The HIMSS Cybersecurity Survey revealed 18% of healthcare organizations are not conducting phishing simulations on their employees to reinforce security awareness training and identify weak links.

While email security can be improved, there is concern that by making it harder for email attacks to succeed, healthcare organizations will encourage threat actors to look for alternative methods of compromise. It is therefore important for security leaders to diligently monitor other potential areas of compromise.

The most common ways that human error leads to the exposure of patient data is posting patient data on public facing websites, accidental data leaks, and simple errors.

HIMSS explained that it is imperative to educate key stakeholders on IT best practices and to ensure those practices are adopted. Significant security incidents caused by insider negligence were commonly the result of lapses in security practices and protocols.

HIMSS suggests that additional security awareness training should be provided to all employees, not just those involved in security operations and management. Individuals in security teams should also be given additional training on current and emerging threats along with regular training to ensure they know how to handle and mitigate security threats.

Email attacks and the continued use of legacy (unsupported) systems such as Windows Server and Windows XP raise grave concerns about the security of the healthcare ecosystem.

69% of respondents said they continue to use at least some legacy systems. 48% are still using Windows Server and 35% are still using Windows XP, despite the security risks that those legacy systems introduce.

While it is encouraging to see that 96% of organizations conduct risk assessments, only 37% of respondents said they conduct comprehensive risk assessments. Only 58% assess risks related to their organization’s website, 50% assess third party risks, and just 47% assess risks associated with medical devices.

HIMSS suggests cybersecurity professionals should be empowered to drive change throughout the organization. “Rather than being “hermetically sealed off” from the rest of the organization they serve, cybersecurity professionals should be both a visible and integral part of the strategic planning and operational infrastructure of their organizations,” a feeling that was shared by 59% of respondents.

It is good to see that in response to the growing threat of attacks, healthcare organizations are allocating more of their IT budgets to cybersecurity. 72% of respondents said their budget for cybersecurity had increased by 5% or more or had remained the same.

You can download the 2019 HIMSS Cybersecurity Survey Report on this link (PDF).

The post HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns appeared first on HIPAA Journal.

EHR Vendor False Claims Act Violation Case Settled for $57.25 Million

Posted by HIPAA Journal

The Tampa, FL-based electronic health record (EHR) software developer Greenway Health LLC has agreed to settle violations of the False Claims Act with the Department of Justice for $57.25 million.

The case concerns Greenway Health’s EHR product Prime Suite. The DOJ alleged that by misrepresenting the capabilities of the product, users submitted false claims to the U.S. government. Further, Greenway Health was alleged to have provided unlawful remuneration to users to induce them to recommend the EHR product to other healthcare providers.

The U.S. government provided incentives to healthcare organizations to encourage them to transition to EHRs from paper records through the Meaningful Use program. Most healthcare providers have now made the change and now rely on EHR systems to support the healthcare decision process. It is therefore essential that EHR products allow patient health information to be recorded and transmitted accurately.

In order for healthcare providers to qualify for Meaningful Use payments, they must only use EHR products that have been certified as meeting certain criteria stipulated by the Department of Health and Human Services (HHS). In order to receive certification, EHR software developers must have their products tested by an independent, accredited testing laboratory authorized by the HHS. Certification is then provided by an official certification body.

Greenway Health was alleged to have falsely obtained 2014 Edition certification for Prime Suite by concealing the fact that the product did not fully comply with all HHS criteria, such as the use of standardized clinical terminology to ensure reciprocal flow of patient information and the accuracy of electronic prescriptions. Greenway Health was alleged to have modified its test-run software to deceive the company that certified Prime Suite into believing it used the requisite clinical vocabulary.

Healthcare providers who used Prime Suite needed to meet targets for EHR-related activities in order to receive Meaningful Use incentive payments. One such target was to provide a certain percentage of patients with clinical summaries after office visits. The 2011 Edition of Prime Suite did not accurately calculate the percentage of office visits for which users distributed clinical summaries and, as a result, it caused users to submit false claims. Greenway Health chose not to correct the error as by doing so its users would not qualify for Meaningful Use incentive payments.

Greenway Health was also alleged to have violated the Anti-Kickback Statute by paying money to users as an incentive to recommend the product to other healthcare providers.

“This resolution demonstrates our continued commitment to pursue EHR vendors who misrepresent the capabilities of their products, and our determination to promote public health while holding accountable those who seek to abuse the government’s trust,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division.

This is the second case against an EHR provider to have been pursued and resolved in the past two years. eClinicalWorks was also accused of covering up the failure of its platform to pass certification testing. eClinicalWorks paid $155 million to settle its case.

“These cases are important, not only to prevent theft of taxpayer dollars, but to ensure that the promise of health technology is realized in the form of improved patient safety and efficient healthcare information flow,” said United States Attorney Christina E. Nolan for the District of Vermont.

In addition to the financial penalty, Greenway Health has entered into a 5-year Corporate Integrity Agreement (CIA) with the HHS’ Office of Inspector General. Under the terms of the CIA, Greenway Health is required to retain an Independent Review Organization to assess its software quality control and compliance systems and to review arrangements with healthcare providers to ensure compliance with the Anti-Kickback Statute.

Greenway Health must also allow all users of Prime Suite to upgrade to the latest version of the platform at no additional charge and, if they so wish, allow customers to transfer their data to another EHR software provider without incurring penalties, service charges, or other contractual amounts owed in connection with the goods/services already provided.

The post EHR Vendor False Claims Act Violation Case Settled for $57.25 Million appeared first on HIPAA Journal.

New Cybersecurity Framework for Medical Devices Issued by HSCC

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle.

The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector.

More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing Act of 2015.

“It is important for medical device manufacturers and health IT vendors to consider the JSP’s voluntary framework and its associated plans and templates throughout the lifecycle of medical devices and health IT because doing so is expected to result in better security and thus better products for patients,” explained HSCC.

Cybersecurity controls can be difficult to integrate into existing processes. Organizations often fail to recognize how important security controls are, and when considering how to enhance cybersecurity many do not know where to start or have insufficient resources to devote to the task. The framework helps by providing guidance on how to create a security policy and procedures that align with and integrate into existing processes.

HSCC is urging organizations to commit to implementing the JSP as it is believed that by doing so patient safety will be improved.

The JSP can be adopted by organizations of all sizes and stages of maturity and helps them enhance cybersecurity of medical devices by addressing key challenges. Many large manufacturers have already created similar cybersecurity programs to the JSP, so it is likely to be of most use for small to medium sized companies that lack awareness of the steps to take to improve cybersecurity as well as those with fewer resources to devote to cybersecurity.

The JSP utilizes security by design principles and identifies shared responsibilities between industry stakeholders to harmonize security standards, risk assessment methodologies, reporting of vulnerabilities, and improve information sharing between device manufacturers and healthcare providers. The JSP covers the entire lifecycle of medical devices, from development to deployment, management, and end of life. The JSP includes several recommendations including the incorporation of cybersecurity measures during the design and development of medical devices, handling product complaints related to cybersecurity incidents, mitigation of post-market vulnerabilities, managing security risk, and decommissioning devices at end of life.

The Medical Device and Health IT Joint Security Plan can be downloaded on this link.

The post New Cybersecurity Framework for Medical Devices Issued by HSCC appeared first on HIPAA Journal.