Cybersecurity Toolkit for Digital Health

Download Toolkit
as a PDF

This toolkit serves as an educational resource for digital health companies at all stages of growth on both the fundamentals and best practices for cybersecurity and privacy protection. In addition to serving as a resource guide, the toolkit will also contain a Massachusetts common security checklist, created by MassChallenge HealthTech in collaboration with the CGE and with funding support from MeHI. This checklist provides a standard set of questions asked by a hospital prior to deployment of a new device or software in a clinical setting. The checklist is designed to provide startups an upfront guide to the key security and standardization requirements they will need to meet for any hospital engagement.

Applicable Regulations

A Startup's Guide to HIPAA

Rock Health's guide to HIPAA

Architecting Your Healthcare Application for HIPAA Compliance

Medium post from AWS on privacy in digital health product development

HIPAA Compliance for Startups

Rock Health's startup support video

Ten Steps Towards Achieving HIPAA Compliance

A list with advice for achieving HIPAA compliance

FDA Digital Health Innovation Plan

How does the FDA define digital health?

Cybersecurity Practices and Guidance for Medical Devices

FDA Medical Device Cybersecurity Page

Includes premarket and post market management of medical devices

Manufacturer Disclosure Statement for Medical Device Security

Consists of the MDS form and instructions for completing it. Assists professionals responsible for security-risk assessment in the management of medical device security issues.

AAMI TIR57

Provides medical device manufacturers with guidance on developing a cybersecurity risk management process for their products.

Health Sector Joint Cybersecurity Resources

Healthcare Industry Cybersecurity Task Force

Report on Improving Cybersecurity in the Healthcare Industry

Health Industry Cybersecurity Practices (HICP)

Managing Threats and Protecting Patients – an industry-led effort in response to a mandate of the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry

Medical Device and Information Technology Joint Security Plan

Recommendations for manufacturing and managing the security of medical devices for clinical practice

Organizational Cybersecurity Best Practices

DHS CISA Resources for Small and Midsize Businesses

Resources to assist SMBs and startups with securing their organization. Includes roadmap for critical infrastructure requirements for small and midsize businesses

FCC Small Biz Cyber Planner

Helps businesses create and save a custom cyber security plan quickly to address specific business needs and concerns.

FTC Small Business Fact Sheet

Covers cybersecurity basics and best practices including the NIST cybersecurity framework for SMBs, and covers security threats (e.g. phishing, ransomware, email spoofing, and tech support scams, etc.)

NIST Framework for Improving Critical Infrastructure Cybersecurity

Focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes

DHS Entrepreneurs Tip Card

Provides simple cybersecurity tips and resources for entrepreneurs.

HHS Quick Response Checklist for HIPAA Covered Entity or Business Associate

Provides HIPAA-related organizations brief guidance on responding to cyber incidents.

HIPAA Security Rule and NIST Crosswalk

Identifies “mappings” between the Cybersecurity Framework and the HIPAA Security Rule. This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification1 in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory.

ISO/IEC 27000

Family of standards to help organizations keep information assets secure.

Secure by Design Best Practices

OWASP Secure Medical Device Deployment Standard

A guide and checklist organizations can use as the basis for securely deploying network enabled medical devices

UK Code of Practice for IOT

Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers, with guidance for consumers on smart devices at home

Vulnerability Disclosure Best Practices

ISO29147

Provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services

ISO30001

Guidelines for how to process and resolve potential vulnerability information in a product or online service

I am the Calvary

List of manufacturers in cyber safety industries who have coordinated vulnerability disclosure programs

Digital Health Cybersecurity Group Of Experts

In February 2019, the Council launched the Cybersecurity Group of Experts (CGE) to facilitate the creation of a cybersecurity toolkit. The CGE, chaired by MITRE, is composed of 11 industry experts from hospitals, industries including software, security and medical devices, academia and government. The CGE will support the growth of the digital health ecosystem by enhancing access to security and validation information needed to support commercialization of products and working with the Massachusetts Cyber Center, as well as supporting future Hacker Hospital sandbox environments. The CGE will also offer ongoing hackathon events, development training workshops around cybersecurity, HIPAA and other relevant topics.

Margie Zuk

Principal Cybersecurity Engineer, MITRE –co-chair of Group of Experts

Maeghan Welford

Director of Integration and Plans, MITRE –co-chair of Group of Experts

Josh Corman

Chief Security Officer, PTC

Jen Ellis

VP of Community and Public Affairs, Rapid 7

Ron Ford

Regional Cybersecurity Advisor New England, Department of Homeland Security, Office of Cybersecurity and Communications

Julian Goldman, MD

Director of Biomedical Engineering for Partners HealthCare, anesthesiologist at MGH and Director of Program on Medical Device Interoperability research program

Stephanie Helm

Director, MassCyberCenter

Christina Mazzone

Chief Information Security Officer, BWH

Michael McNeil

Head of Global Product and Security, Phillips

Paul Schieb

Chief Information Security Officer, Boston Children’s

Daniel Weitzner

Director, MIT Internet Policy Research Initiative and Research Scientist at CSAIL