Public-Private Partnerships to Secure Medical Devices

In episode three of the seven-part CHIME webinar series, Public-Private Partnerships to Secure Medical Devices, I am joined by five guest speakers representing three public-private initiatives addressing current issues in the healthcare ecosystem.

• Mike Powers, MBA: Representing the Legacy Devices task group within the Healthcare Sector Coordinating Council (HSCC) Joint Cybersecurity Working Group. Mr. Powers is a Clinical Engineering Director at Intermountain Healthcare and a member of the AAMI Healthcare Technology Leadership Committee.
• Samantha Jacques, PhD: Dr. Jacques is also from the HSCC Joint Cybersecurity Working Group and is the Vice President of Clinical Engineering at McLaren Health Care, vice-chair of the AAMI Healthcare Technology Leadership Council, and a fellow of the American College of Healthcare Executives.
• Alex Wolf: Another representative of the HSCC Joint Cybersecurity Working Group as the Model Contract Language task group leader, Mr. Wolf is a Cybersecurity Specialist at Cleveland Clinic.
• Jim Jacobson: From the National Telecommunications and Information Administration (NTIA) Software Component Transparency work group, Mr. Jacobson is the Chief Product and Solution Security Officer of Siemens Healthineers, and Mr. Amusan is a Principal Cybersecurity Analyst at Mayo Clinic.
• Tola Amusan, MBA: Mr. Amusan is a Principal Cybersecurity Analyst at Mayo Clinic and also a member of NTIA.

Our first topic was addressed by Mr. Powers and Dr. Jacques on their projects at the HSCC’s Legacy Device work group. Officially, legacy devices are defined by the International Medical Device Regulators Forum as simply those that cannot be protected against current cybersecurity threats. In contrast to this vague description, Dr. Jacques elaborated on how clinical engineers of Health Delivery Organizations (HDOs) alternatively define them as devices no longer supported by the manufacturer, necessitating reactive strategies like microsegmentation and network monitoring to keep them secure. The task group’s upcoming publication will provide guidance on the core practices, challenges, recommendations, and HDO and Medical Device Manufacturers (MDM) perspectives. One critical area of contention it aims to resolve is the difference between “end of life” and “end of support.” To an MDM, “end of life” may potentially be initiated to justify terminating post-sale technical support, instructional material, and/or patch availability to incentivize replacement. From an HDO perspective, an unsupported device may still function perfectly, and prematurely relegating it to end-of-life status is often infeasible or cost prohibitive. As Mr. Powers concisely summarizes the distinction, “It’s end-of-life when I push the ‘ON’ button and it doesn’t turn on.”

Next, Mr. Jacobson and Mr. Amusan presented their work on Software Bills of Materials (SBOMs) at the NTIA. An SBOM is the list of “ingredients,” or the individual components of which a device’s software is composed. Explained by Mr. Jacobson, the task group has been creating a proof-of-concept SBOM since 2018. Their goal is to provide standardized and automated formats for use by manufacturers. Mr. Amusan highlighted the various use cases of how HDOs may utilize SBOMs across Healthcare Technology Management (HTM) functions ranging from procurement, asset management, risk management, vulnerability and patch management, and device life-cycle management.

In the final segment of the webinar, Mr. Wolf presented an overview of the HSCC’s Model Contract Language task group. Its foremost objective is establishing shared cooperation between MDMs and HDOs in regard to security, compliance, management, operation, and security of MDM-managed medical devices. The task group has been working a contract template for organizations of any size, which simplifies cybersecurity requirements and expectations between parties, and aligns with existing standards like NIST and the FDA Post-Market Guidance. A point of particular emphasis in the delegation of compliance responsibility and liability between parties. Security breaches to devices are an inevitability, so clearly establishing the duties and obligations ensures the HDO and MDM are prepared to recover, and to prevent. To quote Mr. Wolf, “In the event that something goes wrong, both parties are aware of those expectations and have a good understanding how to work through those issues.”

Episode Four blog of the CHIME’s Medical Device Security webinar series is up next. If you missed any of the previous episodes, you can view my recap here, or register for the entire series at https://store.ignitedigital.org/product?catalog=medical_device_security_webinar_series.