Health-ISAC issued guidance to support mitigation of pharmaceutical supply chain risks, while new HSCC guidance takes aim at communicating medical device vulnerabilities with non-security individuals. (Photo credit: "www.army.mil" by The U.S. Army is marked with CC BY 2.0.)

Health-ISAC and Health Sector Coordinating Council Cybersecurity Working Group separately issued two new resources for the healthcare sector, which aim to support security leaders with communicating device vulnerabilities and better understanding pharmaceutical supply chain risks.

Released April 22, the development of the Health-ISAC white paper was led by Johnson & Johnson and facilitated by KPMG in collaboration with Pfizer, Cardinal Health, McKesson, Abbott, and Eli Lilly. The security framework includes a guide for chief information security officers, best practices and recommended standards for securing the pharmaceutical ecosystem.

The guide comes in response to the uptick in targeted cyberattacks and attempted intellectual property theft against the sector brought on by the COVID-19 pandemic. One of the most notorious incidents in that time period was the theft of Pfizer and BioNTech vaccine data from the European Medicines Agency after a highly targeted cyberattack.

The pandemic also rapidly expanded the attack surface due to the digitalization and complexity of the pharmaceutical supply chain and the global reliance on third-party suppliers and partners, with varying degrees of security maturity.

The Health-ISAC resource addresses these risks and challenges, encouraging healthcare and pharma leaders to “make securing the supply chain an organizational imperative,” according to the report.

“CISOs are earning a much more strategic seat at the table: they are being asked to weigh in on how the business can pursue efficiency, productivity, and even growth initiatives without taking unnecessary reputational, financial, or regulatory risks,” the report authors wrote. “In other words, CISOs and their teams have shifted from the sidelines to … a key part of the ensemble.”

The report is compiled from interviews with CISOs in the pharmaceutical industry, detailing the importance of tying security and tech solutions to business economics and sharing the evolution of their roles from internal support to a more visible internal and external role.

Pharma CISOs can leverage the paper to determine the most pressing threats to the sector, and potential impacts, as well as the key principles for mitigating the leading risks and just how to close those gaps.

Guide to communicating device vulnerabilities

Meanwhile, the HSCC guidance targets medical tech vulnerability communications, which are highly technical and target tech and security leaders of the known risks and mitigations.

However, many healthcare stakeholders don’t have the experience or knowledge to translate the technical device information into information that is easier to understand to share with patients or other hospital leaders.

Aiming to improve the previously issued FDA medical device guidance, HSCC formed a Vulnerability Communications Task Group wholly focused on improving cybersecurity communication with patients. The work was informed by surveying healthcare leaders, researchers, manufacturers and regulators to determine best practices.

HSCC used the feedback to develop the new toolkit, which aims to address ongoing challenges by empowering medical device manufacturers and software developers with the tools need to effectively communicate vulnerabilities in their products to non-security professionals, like users, patients, clinicians, and others who may be unfamiliar with cybersecurity and connected tech.  

“Transparency, effective communication of vulnerabilities and appropriate mitigation strategies are essential to ensure unacceptable risks are adequately managed,” the report authors wrote. But sharing this type of information with those less-immersed in security can be complex and highly difficult.

Take, for example, the recently proposed legislation that outlines requirements for devices manufacturers, including sharing a Software Bill of Materials (SBoMs) with all users. Stakeholders have expressed concern that the move wouldn’t be wholly effective, given the language barriers within the healthcare ecosystem.

In short, the guide is meant to improve the current state of communicating vulnerability disclosures by using language that all audiences, including nontechnical stakeholders, can understand.

As such, the toolkit includes a guide to publicly disclosing vulnerabilities, particularly around communicating risks to patients. Entities will find details into vulnerability categorization, prioritization of communication, a glossary of terms for security concepts, and terminology to avoid. There are also step-by-steps measures that breaks down the communication process.

The guide follows an earlier HSCC release that targets the cybersecurity contract language for medical tech, as well as an FDA update to its medical device security guidance.