Following the release of the National Cybersecurity Strategy (NCS) in March of this year, the Biden-Harris Administration followed up with a National Cybersecurity Strategy Implementation Plan (NCSIP) in July. Both documents express the urgency to improve US government and critical infrastructure cybersecurity posture and recognize the growing cyber threats to our citizen, economy, and sensitive information. This critical infrastructure includes healthcare and by extension medical devices.

The aim of the National Cybersecurity Strategy is to strengthen the collaboration among stakeholders to defend critical infrastructure, disrupt and dismantle threat actors, help shape market forces to drive security and resilience, invest in a more cyber-secure future, and forge international alliances in support of these goals.

One clear message that strategy and implementation plan deliver is the need to shift cybersecurity responsibility from the end user (such as the owners or operators) to the biggest, most capable, and best-positioned entities — meaning producers of software and devices will need to assume a greater share of the burden for reducing cyber risk. It also includes incentives to favor long-term investments into cybersecurity.

Those in the medical device industry will recognize parallels with other government initiatives, including H.R.2617 — Consolidated Appropriations Act (Omnibus Bill, Dec. 2022, being the first federal laws requiring medical device security), giving FDA explicit authority on cybersecurity, as demonstrated through the “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices” (under Section 524B of the FD&C Act).

The Cybersecurity Implementation Plan details more than 65 high-impact Federal initiatives, from protecting American jobs by combating cybercrimes to building a skilled cyber workforce equipped to excel in our increasingly digital economy.

The NCSIP is built around the NCS pillars and strategic objectives:

1. Defending Critical Infrastructure: coordinated incident response between government and private sector with CISA being tasked to update the National Cyber Incident Response Plan to realize an approach of “a call to one is a call to all.” as well as defining the roles and capabilities of Federal agencies in incident response and recovery.
2. Disrupting and Dismantling Threat Actors: with ransomware being a particularly prominent and disruptive format of cyber attack, the plan proposes a Joint Ransomware Task Force. FBI will work with Federal, international, and private sector partners to carry out disruption operations against the ransomware ecosystem. CISA, will be offering resources such as training, cybersecurity services, technical assessments, pre-attack planning, and incident response to high-risk targets, like hospitals and schools.
3. Shaping Market Forces and Driving Security and Resilience: Increasing software transparency allows market actors to better understand their supply chain risk and to hold their vendors accountable for secure development practices. CISA continues to lead work with key stakeholders to identify and reduce gaps in software bill of materials (SBOM) scale and implementation.
4. Investing in a Resilient Future: U.S. leadership in technical standards is essential to the security of cyberspace. The National Institute of Standards and Technology (NIST) will coordinate issues in international cybersecurity standardization and enhance U.S. federal agency participation in the process. NIST will also finish standardization of one or more quantum-resistant public key cryptographic algorithms.
5. Forging International Partnerships to Pursue Shared Goals: Cyberspace is global and requires close collaboration with partners and allies. The Department of State will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities.

A total of 18 agencies will be leading these initiatives and whole-of-government approach, demonstrating the deep commitment to a more resilient, equitable, and defensible cyberspace.

What’s next:

The cybersecurity industry is no longer future gazing at what the impact on medical devices will be. Instead the reality we are living everyday shows establishing a proactive cybersecurity program is an imperative for businesses to thrive. This is a hard problem to address and requires collaboration across multiple-functions that sometimes have conflicting motivators (see our white paper here which outlines some of these).

The message delivered across government initiatives, from White House to FDA, is clear — medical devices need to be “secure by design” and “secure by default”, thus relieving the burden from hospitals to secure these devices on their networks.

Further Reading:

• The White House, “National Cybersecurity Strategy,”March 2023
• The White House, “Fact Sheet: Biden-⁠Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan,” July 13, 2023
• World Economic Forum, “The US has announced its National Cybersecurity Strategy: Here’s what you need to know,” Mar 09, 2023

MedCrypt provides medical device cybersecurity products and services that meet regulatory guidance requirements. Schedule a meeting with us at info@medcrypt.com and learn more about our solutions.

‍