Background

MDIC recognizes that cybersecurity is vital to the healthcare sector. Cybersecurity threats can have a debilitating effect on security, privacy, public health and safety. As such, MDIC is focused on making meaningful contributions to advance cybersecurity as it relates to medical devices.

The U.S. Food and Drug Administration’s (FDA) Center for Devices and Radiological Health (CDRH) has issued guidance to address cybersecurity as part of their ongoing effort to ensure safety and effectiveness of medical devices across their lifecycle. It is recommended that manufacturers build risk management programs that span premarket from early design, through development of products, and into the post market environment.

A roadmap for manufacturers exists as the MedTech Joint Security Plan (JSP) and its Maturity Model Metrics, which allow any organization to assess and implement the following:
· Organizational Structure
· Risk Management
· Design Control
· Compliant Handling

The MedTech Joint Security Plan uses CMMI—Capability Maturity Model Integration—to define how the maturity of cybersecurity capabilities throughout the lifecycle of medical technology is measured—through design, development and maintenance.

Some medical device manufacturers have implemented cybersecurity programs derived from the JSP. MDIC believes that the JSP is a helpful resource in establishing cybersecurity capabilities such as security design requirements, risk assessment, testing, vulnerability disclosures and customer security documentation.

About This Project

The goal of this project is to provide a common method and rubric for the medical technology industry to measure cybersecurity maturity across the industry to drive common improvements that reduce overall cybersecurity risk. We will establish the industry benchmark based on a collection of medical technology companies and stakeholders contributing their MedTech Joint Security Plan (JSP) Maturity Model metrics and share the aggregated data in report format. This will enable individual medical technology companies, HDOs, and other stakeholders to establish long-term strategic plans to increase their cybersecurity maturity and track their progress along the way.

Ultimately, we want to get to a place where cybersecurity requirements are defined, quantitatively managed, and optimized across the healthcare industry driving to a state where we proactively monitor and control all cyber risks.

The Benefit to Your Organization:

As medical devices continue to increase their network connectivity, usage of portable media, and the frequent electronic exchange of health and medical information, the need for effective cybersecurity monitoring and reporting to ensure medical device functionality and safety has become even more important. Instituting an industry benchmark will help drive increased awareness and rapidly reduce the time for the industry to mature and provides a model to evaluate product security program success.

Who Should Participate?

Medical Device Manufacturers and Healthcare Delivery Organizations who want to gain an independent perspective about how well you perform compared to other companies in your industry.

Please send questions to Jithesh Veetil, Program Director MDIC: cybersecurity@mdic.org 

Current as of December 1, 2020
© 2020 Medical Device Innovation Consortium. All Rights Reserved.Privacy Policy