By Jof Enriquez,
Follow me on Twitter @jofenriq
Seeking to provide a forum to discuss ideas and share best practices for medical device cybesecurity, a group of healthcare organizations and medtech companies have formally launched the Medical Device Cybersecurity Task Force (MDCTF).
Co-coordinated by cybersecurity firm Sensato and healthcare security firm Divurgent, MDCTF is a free, voluntary, cross-industry group composed of hospitals, hospital technologists, cybersecurity researchers, information technology leaders, and medical device manufacturers. It seeks to develop cost-effective, practical approaches to securing medical devices in healthcare organizations, and strives to act as an "intelligence liaison" that allows for the collection and sharing of potential threat intelligence with its members and government agencies, according to a press release from January.
At that time, the Task Force had five members, including Delaware healthcare system Beebe Healthcare. Since then, membership has expanded to 15 health systems and hospitals, including Children’s Hospital of Atlanta, Lehigh Valley Health Network, and Intermountain. Tech vendors Renovo Solutions and VMware Inc., who operate enterprise-grade mobile device and software provider AirWatch, have also joined the group.
Cybersecurity threats to medical devices are a growing concern, and the U.S. Food and Drug Administration (FDA) issued a draft guidance earlier this year for medical device manufacturers to address cybersecurity risks to keep patients safer. The agency last year issued its first cybersecurity-related alert for a medical device, and security experts predict that it won't be the last as devices become increasingly interconnected.
FDA has identified cybersecurity as a one of its regulatory science priorities for 2016. Other federal agencies, such as the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG), as well as professional associations like the Institute of Electrical and Electronics Engineers (IEEE), have announced their own initiatives to help manufacturers design products that can withstand cyberthreats.
However, despite these efforts, confusion and a lack of awareness persist among medtech companies and healthcare providers regarding cybersecurity.
“We continually get asked by clients what the best practices are for securing medical devices, how do we protect these things,” said John Gomez, CEO of Sensato and co-founder of the Task Force, to Healthcare IT News. “There is little guidance and a lot of misinformation. While there are other organizations doing work in this space, we thought it was important to create a fast-moving, very tactical group that could come to the industry with a set of best practices.”
In contrast to agency-driven initiatives, the Task Force can be described as more of a "grassroots" program that will get hospitals and manufacturers involved with cybersecurity matters by talking directly, eliciting feedback, and sharing resources.
“The reality is both sides – providers and manufacturers – do not understand how much the other side does not know,” Gomez added in the article. “When I talk with manufacturers, they understand they need to do something, but they have never had to deal with cybersecurity before, it’s not a part of their DNA. And on the hospital side, they’re realizing they’ve never had to lock these things down. In fact, medical devices have not even been part of the IT group in hospitals. So both sides have common ground where they both are looking for answers.”
According to Healthcare IT News, as a solution, the Task Force wants to create a set of best practices separately for healthcare provider organizations and for medical device manufacturers. It is also working on an app that will help healthcare organizations evaluate medical devices and at the same time feed a database that task force members can access to study the market.
The Task Force will organize quarterly meetings where members can discuss all aspects of medical device cybersecurity: technical, management, education, threat intelligence, monitoring, planning, purchasing, finance, and economics, according to the Sensato website. Output from these meetings will be provided as an open source asset to the healthcare and medtech industries.