Medical device makers, regulators and healthcare delivery organizations are increasingly working together to strengthen cybersecurity. But are they doing enough?Almost no one in the medtech industry disputes the vulnerability posed by cyberattacks. How to go about boosting security is another matter – one on which those stakeholders have recently stepped up their collaboration.
One group, the Healthcare & Public Sector Coordinating Council, thinks it has a solution: Health providers and other customers buying a connected medical device should be able to remotely access a cybersecurity bill of materials (CBOM) that would list all commercial, open-source and custom-code software. Available via remote access for customers, the CBOM would also include commercial hardware such as processers, network cards, sound cards, graphic cards and memory.
The council’s recently issued joint security plan calls for more vulnerability disclosures, notices of breaches, software and hardware upgrades and security patch availability. Companies would also need to notify customers before they end technical support for older devices.
“It’s this voluntary framework that establishes best practice for cybersecurity at a medical technology company,” council member Rob Suarez, director of product security at Becton Dickinson, told Medical Design & Outsourcing. “This joint security plan establishes the common ground which many medical device manufacturers, health IT vendors and healthcare providers agreed on.”
Some manufacturers have grumbled about providing hardware information in a CBOM, but an increasing number have pledged to publicly share vulnerability information should hackers breach one of their devices, including industry giants BD, Abbott, Siemens, Philips, Medtronic, Johnson & Johnson, Boston Scientific and Stryker.