Background
MDIC recognizes that cybersecurity is vital to the healthcare sector. Cybersecurity threats can have a debilitating effect on security, privacy, public health and safety. As such, MDIC is focused on making meaningful contributions to advance cybersecurity as it relates to medical devices.
The U.S. Food and Drug Administration’s (FDA) Center for Devices and Radiological Health (CDRH) has issued guidance to address cybersecurity as part of their ongoing effort to ensure safety and effectiveness of medical devices across their lifecycle. It is recommended that manufacturers build risk management programs that span premarket from early design, through development of products, and into the post market environment.
A roadmap for manufacturers exists as the MedTech Joint Security Plan (JSP) and its Maturity Model Metrics, which allow any organization to assess and implement the following:
· Organizational Structure
· Risk Management
· Design Control
· Compliant Handling
The MedTech Joint Security Plan uses CMMI—Capability Maturity Model Integration—to define how the maturity of cybersecurity capabilities throughout the lifecycle of medical technology is measured—through design, development and maintenance.
Some medical device manufacturers have implemented cybersecurity programs derived from the JSP. MDIC believes that the JSP is a helpful resource in establishing cybersecurity capabilities such as security design requirements, risk assessment, testing, vulnerability disclosures and customer security documentation.