In June 2017, the U.S. Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force issued a report to Congress stating: “Health care cybersecurity is in critical condition.”
In an effort to harmonize the work being done in hospitals and by device manufacturers to address medical device vulnerabilities, Irving, Texas-based healthcare consultancy Vizient has formed the Medical Device Cybersecurity Task Force. The mission of the task force is to provide leadership and facilitate collaboration to minimize the risk and cost of medical device cybersecurity by fostering standard practices for the benefit of the health care industry.
“Vizient is excited to step up and provide leadership in the area of medical device cybersecurity by facilitating collaboration between key stakeholders for the benefit of the entire industry,” says Ross Carevic, director, technology sourcing operations at Vizient. “The goal is to help reduce cybersecurity risks and the cost of assessing risk. One of the key near-term deliverables is a multi-phase roadmap that will help advance the cybersecurity maturity posture of the entire health care industry.”
The work of the Vizient task force will also serve to augment the recently released Medical Device Action Plan published by the U.S. FDA. Carevic adds: “We look forward to having the opportunity to leverage our unique position in the marketplace to work collaboratively with our stakeholders to facilitate the public-private collaboration outlined in the Action Plan.”
Moreover, the task force will be assessing the overall maturity level of cybersecurity for medical devices and identify areas to improve. It will also focus on sourcing enhancements, standards, governance, and information sharing best practices to reduce exposure to risk.
As an example, the Vizient contract portfolio includes more than 500 contracts with networked devices. The company is working closely with members, suppliers, and cybersecurity experts to add additional terms into the contract language, as well as modifications to the weightings related to cybersecurity safeguards in the RFP scoring process. This will enhance the cybersecurity of the devices in Vizient’s portfolio for the benefit of patients and providers, company officials say.
“We are viewing this from an entire industry perspective—not just for Vizient members and suppliers. Wherever possible, we intend to make key deliverables publically available, which will help suppliers and providers prioritize their remediation plans for older medical devices and ensure appropriate safeguards are included in new devices for the benefit of all patients,” says Carevic.