HSCA Releases Cybersecurity Guidelines to Help Protect Patient Health, Safety, And Privacy 

Towards the end of December 2021, as we entered the new year, The Healthcare Supply Chain Association (HSCA) released guidance for medical device manufacturers and healthcare providers to help safeguard patient health, safety, and privacy.  

The Healthcare Supply Chain Association (HSCA) represents the United States’ leading healthcare group purchasing organizations (GPOs). These GPOs are critical cost-savings partners to America’s hospitals, nursing homes, nursing home pharmacies, clinics, home healthcare providers and surgery centers. HSCA, which is a broad-based trade association, advocates for fair procurement practices and education to improve efficiency in the purchase and sale of healthcare goods and services.  

Key considerations for manufacturers and healthcare delivery organizations 

The document titled ‘
Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations (HDOs)’ outlines the shared responsibilities of the parties in assuring medical device and information security and some of the steps they might take in promoting that security.

The HSCA’s new cybersecurity guidance involves 4 main categories of consideration:  

                        • Cybersecurity Training and Software: Includes designating an information technology security officer, maintaining updated anti-virus software, and implementing role-appropriate cyber training and assessments; 
                        • Equipment Acquisition Standards and Risk Coverage: Includes ensuring compliance with regulatory standards for purchasing medical devices and updating legacy devices, providing insurance policies to cover cybersecurity risks, and validating devices by testing manufacturer claims; 
                        • Data Encryption: Includes encrypting personal authentication data as well as any confidential or sensitive information when practical; 
                        • Information Sharing & Standards Organizations: Includes participating in Information Sharing and Analysis Organizations (ISAOs), certifying that suppliers of network-accessible medical devices, software and services are compliant with current FDA guidance documents, and ensuring that manufacturers provide a Manufacturer Disclosure Statement for Medical Device 

You can find the full ‘Medical Device and Service Cybersecurity Considerations’ document here. In conjunction with this release, HSCA also published ‘Recommendations for Medical Device Cybersecurity Terms and Conditions’, which details potential purchasing contract terms and conditions that could help ensure rapid adoption of rigorous cybersecurity measures. You can view the accompanying recommendations document here.  

What is a 510(k)?
Protecting patient safety and preventing cyber attacks 

 At the time of its release, HSCA President and CEO, Todd Ebert, explained the reasoning behind the guidance.   

The widespread adoption of telemedicine and rapid shift to virtual operations during the COVID-19 pandemic has underscored the important role that information technology, software, and medical devices can play in improving patient care. However, as evidenced by recent cyberattacks, medical devices and services are vulnerable to cybersecurity threats that could jeopardize patient health, safety, and privacy. GPOs leverage their unique line of sight over the supply chain to help providers harness the benefits of technology to care for their patients while guarding against cyber threats.” 

HSCA Committee for Healthcare eStandards (ChES) Executive Director, Curt Miller, also had this to say about the guidance. 

The increased use of connected medical devices and software as a service (SaaS), the adoption of wireless technology, and overall increased medical device and service connectivity to the internet significantly increase the risks of cybersecurity incidents. HSCA and its Committee for Healthcare eStandards are committed to accelerating the adoption, implementation, and active usage of industry-wide data standards for improving efficiencies and safety throughout the healthcare supply chain, and HSCA’s key considerations are part of that continued commitment.” 

Holding third-party vendors to strict standards of cybersecurity safety 

Medical device security concerns have been brought to the front of the industry’s collective consciousness as a number of breaches occurred in 2021. (Several of these events were listed in a previous article.) These breaches can jeopardize patient health, safety, and privacy. 

Some measures suggested within the HSCA guidance include; 

                      • Designating an information technology and/or network security officer to be responsible for security of the organization, services, and products; 
                      • Have processes in place for implementing and maintaining anti-virus/anti-malware software; 
                      • Avoid acquiring devices for which a supplier is unable or unwilling to provide a Manufacturer Disclosure Statement for Medical Device Security (MDS2); 
                      • Conduct risk assessments, including testing when practical, for all devices and services to verify manufacturer claims prior to acquiring any device or service and connecting the device or service to their network.  
                      • The expected useful life of the device or service should be specified within the purchase agreement and security updates to the software and all supporting software components. 
                      • Medical device manufacturers should provide an MDS2 (current version and SBoM) for any medical device that can be connected to a network (i.e., any device that has a MAC address). 

A number of key cybersecurity measures that organizations should implement are listed within the document. Some apply only to healthcare delivery organizations, medical device manufacturers and service suppliers. Some apply only to HDOs (healthcare delivery organizations).  

Regardless of what type of organization you belong to, it is vitally important that all parties hold themselves to the strictest cybersecurity standards to ensure patient safety and data privacy. A full list of considerations can be found here.  
If you would like to talk to one of our team, you can drop us a message on our contact page. 

Image credit

Photo by Philipp Katzenberger on Unsplash

Photo by Testalize.me on Unsplash

Photo by Chris Liverani on Unsplash