The Healthcare Supply Chain Association (HSCA) recently released key cybersecurity considerations for medical device manufacturers, healthcare delivery organizations, and service providers to help safeguard patient health, safety, and privacy.

The critical considerations, according to HSCA’s cybersecurity measures include cybersecurity training and software; equipment acquisition standards and risk coverage; data encryption; and information sharing and standards organizations.

In conjunction with the release of the key considerations, HSCA— which represents the nation’s leading healthcare group purchasing organizations (GPOs)—also published “Recommendations for Medical Device Cybersecurity Terms and Conditions.” These recommendations detail potential purchasing contract terms and conditions that could help ensure rapid adoption of rigorous cybersecurity measures.

“The widespread adoption of telemedicine and rapid shift to virtual operations during the COVID-19 pandemic has underscored the important role that information technology, software, and medical devices can play in improving patient care. However, as evidenced by recent cyberattacks, medical devices and services are vulnerable to cybersecurity threats that could jeopardize patient health, safety, and privacy,” says HSCA President and CEO Todd Ebert, R. Ph. “GPOs leverage their unique line of sight over the supply chain to help providers harness the benefits of technology to care for their patients while guarding against cyber threats.”

HSCA’s cybersecurity measures include the following categories of considerations:

  • Cybersecurity training and software: Which includes designating an information technology security officer, maintaining updated anti-virus software, and implementing role-appropriate cyber training and assessments.
  • Equipment acquisition standards and risk coverage: Includes ensuring compliance with regulatory standards for purchasing medical devices and updating legacy devices, providing insurance policies to cover cybersecurity risks, and validating devices by testing manufacturer claims.
  • Data encryption: Which includes encrypting personal authentication data as well as any confidential or sensitive information when practical.
  • Information sharing and standards organizations: Includes participating in Information Sharing and Analysis Organizations (ISAOs), certifying that suppliers of network-accessible medical devices, software and services are compliant with current FDA guidance documents, and ensuring that manufacturers provide a Manufacturer Disclosure Statement for Medical Device Security.

“The increased use of connected medical devices and software as a service (SaaS), the adoption of wireless technology, and overall increased medical device and service connectivity to the internet significantly increase the risks of cybersecurity incidents,” says HSCA Committee for Healthcare eStandards (ChES) Executive Director Curt Miller. “HSCA and its Committee for Healthcare eStandards are committed to accelerating the adoption, implementation, and active usage of industry-wide data standards for improving efficiencies and safety throughout the healthcare supply chain, and HSCA’s key considerations are part of that continued commitment.”