May 6, 2019

Carter Groome • Chief Executive Officer
First Healthcare Advisory Solutions

Medical Device Risk Management – Provider Side Takeaways from the Joint Security Plan


The Health Sector Coordinating Council (HSCC) released the Joint Security Plan (JSP) in January with a goal of creating easy to follow guidance for increasing the security and resilience of medical devices and medical technologies.  While the report focus leans toward pre-market medical device themes such as design controls, complaint handling, and maturity evaluation, there are several areas that health delivery organizations (HDO’s) can and should leverage to bolster their risk management strategy.  

Rob Suarez and Kevin McDonald, Task Group Co-Chairs of the JSP, more recently highlighted the plan in an AEHIS webinar, curating the best practices that can be applied to gain more insights into your risk profile.  Here are key areas that stand out from the consumer, or HDO side of the JSP.

  1. Alignment of Expectations: Adopting common languages – CVSS and ISO 14971 for example –  and understanding of process between all stakeholders. Aligning the expectations of the manufacturers and the consumers in purchasing is a strong building block to effective collaboration. When considering the device lifecycle, utilization and decommissioning medical devices, understanding process and communication preferences up front is a powerful planning tool for managing devices in your organization.
  2. Procurement and Supply Chain Processes: As your organization looks to purchase and negotiate for new devices, are you incorporating key questions, RFP criteria and supply chain management into the process.  The JSP provides questions to ask prospective vendors that address structure, governance, risk registers and more (Section VIII) that you can pull right into your own process, facilitating quicker responses and information that will inform decisions through the entire lifecycle of your devices.  
  3. Medical Device Management Plan – The JSP provides the tools to incorporate a Medical Device Management Plan into a more comprehensive Cybersecurity Management Plan.  From vulnerability reporting and prioritization to patch management requirements, access controls and pen-testing documentation, communication and planning on how to deal with the risk is articulated in the JSP.  
  4. Incident Response Planning – Processes for notification, your vendor standards for getting incident information and timeliness in addressing vulnerabilities are all items that need to be addressed in advance.  These actions may lead to additional training and ultimately, more streamlined incident response. The JSP helps to incorporate medical device specifics into a more comprehensive IRP, building special use cases and decision trees for potential incidents throughout your device population.  Pulling in the right people by defining their roles and getting the necessary info to them and the vendor is ideal in assessing the impact of an incident.

The JSP is a great guide to help your team bridge the divide between device manufacturers and all of your stakeholders.  The JSP will be revised on a yearly basis and should be considered in your overall Enterprise Risk Assessment. If you are able to leverage what you currently have in place for assessments and Supply Chain Management Processes, you will be well on your way to improved communication and planning on how to more efficiently address medical device risks within your organization.